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Abstract. We present a survey of quantum algorithms, primarily for an intended audience of 
pure mathematicians. Wc place an emphasis on algorithms involving group theory. 
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1. Introduction 

It has been known for some time that simulating quantum mechanics (on a computer based on 
classical mechanics) takes time which is exponential in the size of the system. This is because the 
total quantum state behaves as a tensor product of the individual states [55] . In 1982 Feynman |2()| 
asked whether we could build a computer based on the principles of quantum mechanics to facilitate 
this task of simulation. Deutsch, in 1985, |14j extended the question and asked whether there are 
any problems which can be solved more efficiently on such a quantum computer. He answered the 
question in the affirmative, within the abstract setting of black boxes and query complexity. This 
was done by demonstrating a property of a black box function which requires two evaluations for 
its determination on a classical computer, but only one evaluation on a quantum computer. This 
work was generalised by Deutsch and Jozsa |15) in 1992 with an algorithm to distinguish between 
constant and balanced functions in a single evaluation. This is an exponential speed-up over the 
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deterministic classical case. However, use of classical non-deterministic algorithms removes this 
exponential gap. 

Shor's celebrated algorithm |53) . |54 | for factoring integers efficiently on a quantum computer 
gave the subject a huge boost in 1994, because of its applicability to the RSA cryptosystem. This 
factoring is possible due to the ability of the quantum computer to find the period of a function 
quickly, given that we arc promised in advance that the function is periodic. It does this using 
the quantum Fourier transform, which can be constructed efficiently using a technique similar to 
that of the fast Fourier transform. Another well-known quantum algorithm is Grover's algorithm 
|23) . which performs an unstructured search in a list of size N in time 0(y/~N). This uses a wholly 
different approach to Shor's algorithm and is based on the geometric idea of rotating towards a 
solution within the quantum state. It is worth noting that a quantum computer can be simulated 
on a classical computer (albeit very slowly). So something which is classically algorithmically 
undccidable (for example the word problem for finitely presented groups) remains undecidable on 
a quantum computer. Thus we only gain improvements in efficiency: the impact of the model 
of quantum computing described here is on complexity theory. We note in passing that that our 
model of quantum computing, though the most generally accepted is not the only one that has been 
proposed. For example adiabatic quantum computing 18] . |19| is based on a continuous version 
of the usual model, in which the evolution of the quantum system is given by its Hamiltonian 
which is dependent on a parameter which varies smoothly from to 1. Interesting methods and 
questions arise from the study of this model: see |57j . 

What is interesting to us is that group theory is playing an increasingly important part in providing 
algorithms which are amenable to quantum computing. The modern setting for the class of 
quantum algorithms which use the Fourier transform (including Shor's algorithm and the Deutsch- 
Jozsa algorithm) is the hidden subgroup problem. We describe this and mention the cases where it 
has and has not been solved. The general case of the hidden subgroup problem (for an arbitrary 
finite group) is still open and is known to include the graph isomorphism problem as a special 
case. 

The main strand of group theory in quantum computing consists of efficient quantum algorithms 
in finite groups, of which the hidden subgroup problem is but one. Results relating to the group 
non-membership problem are proved by Watrous in 59 , where he shows that this problem lies in 
a quantum complexity class analogous to Babai and Moran's Merlin-Arthur games class MA (as 
defined in [2]). Our article culminates with another recent algorithm due to Watrous (HO] , which 
efficiently finds the order of a black box solvable group. This builds on Shor's algorithm but also 
contains essential new ingredients which seem to crucially depend on group-theoretic structure. 

Sections 2,3,4 and 6 of these notes are based on a course of eight lectures given by the first named 
author to staff and postgraduate students at the University of Newcastle upon Tyne in the summer 
of 2002. He thanks all those who took part for their interest and enthusiasm. He also thanks John 
Watrous for useful conversations at the University of Calgary in March 2003. 

Sources we found especially useful while preparing this document were [8] and [49 for a first 
overview of quantum computing, I29| and |45| for further depth and general background, with 
[16] and |48j providing the more detailed aspects of Shor's algorithm; the former for its exposition 
of the number-theoretic aspects in particular, and the latter for its account of implementing the 
quantum Fourier transform efficiently. It should be noted at this point that we have taken Shor's 
approach to this algorithm rather than that of Kitaev |38| . mainly because the former came to our 
attention first. For the Deutsch-Jozsa algorithm, |46) and |12| provided good recent accounts. We 
made use of Jozsa's survey 1331 for the hidden subgroup problem, as well as many sources quoted 
in Section POl Watrous' work was taken from the original sources, although we have changed 
some of the notation to make it clearer to ourselves. 

We thank the referee for careful reading of the manuscript many helpful remarks. 
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2. The basics of quantum computing 

2.1. An overview. Before we start to describe the mathematical nuts and bolts of quantum 
computing it is perhaps worth describing informally what happens during a quantum computation, 
and how it differs from a classical computation. Later, in Section EHfl we shall give a fuller and 
more formal account of our standing model of quantum computation. 

A quantum system is both constrained by and enriched by the quantum mechanics which apply to 
the physical device used to store and manipulate data. These devices may consist for example of 
ion traps, optical photons or nuclear magnetic resonance systems, among others (see [45; for a brief 
account of possible technologies). At this stage the reader may start to feel anxiety through lack of 
knowledge of quantum physics, but in fact no physics is required to understand the computational 
model described in this article: such knowledge is needed only to understand where the seemingly 
strange rules come from. In any case we shall cover what's needed as and when required. 

The memory (register) of a classical computer consists of a set of classical bits, each of which 
can be in one of two states, or 1. We can therefore view the memory of an n-bit computer as 
the set ZIJ, the direct sum of n copies of Z2 = Z/2Z. The states of such a computer are binary 
sequences of length n, which we regard as elements of Z?? . Computations then consist of sequences 
of functions / : — > Zj , which allow the state of the system to be transformed. For example 
the classical NOT gate is the function -1 : Z2 — > Z2 given by -1(1) = i + 1 mod 2. The final state 
determines the result of the computation. 

The memory of a quantum computer consists of a finite dimensional complex vector space V , with 
an inner product (in fact a Hubert space). A state of this quantum computer is a unit vector 
in V. Given a set X we denote by CX the complex vector space with basis the elements of X. 
For example CZ2 is a 2-dimensional vector space. Corresponding to the classical n-bit computer 
above we have the n quantum bit or n-qubit quantum computer which has memory consisting of 
the 2™-dimensional vector space V = CZf n (by which we mean the n-fold tensor product of CZ2). 
Note that the dimension of CZ® ra is the same as the dimension of C^ZJ): elements of the basis 
of both vector spaces are in one to one correspondence with n-tuples of elements of Z2. However 
the inner product in these spaces is not the same and we shall see, in due course, that it is the 
tensor product which best encapsulates the physical characteristics of quantum mechanics. 

A quantum computation consists of three phases, an input phase, an evolutionary phase and a 
measurement or output phase. We assume that we can prepare simple input states, for example 
states consisting of basis vectors. Computations then consist of sequences of unitary linear trans- 
formations <p : V — > V which alter the state of the quantum computer from v to 4>(v). For example, 
if Z2 has elements and 1 we may identify these with basis vectors eo, ei of the vector space 
CZ2. Then, corresponding to the classical NOT gate above, we have the quantum NOT gate: the 
unitary transformation ~ : CZ2 — * CZ2 given by ~(aeo + /3e%) = ae% + /3eo, for all a, f3 € C. That 
is, ~ permutes the basis of CZ2. Observe that if the computer is in state (eo — ei)/v2 then one 
application of the quantum NOT gate results in the state (— eo + ei)/\/2- This behaviour, and its 
higher dimensional analogues, give rise to what is known as quantum parallelism. 

Quantum computing also derives additional power from the existence of unitary transformations 
which, unlike the previous example, do not arise from permutations of the basis of the quantum 
system. For example there is a unitary map, of CZ2 to itself, sending basis vectors eo and ei to 
(eo + ei)/y/2 and (eo — ei)/\/2~, respectively. There is no corresponding classical transformation 
as the images of the basis vectors cannot be stored on a one-bit classical register. 

After a computation on a classical computer the output can be observed and preserved for future 
use if necessary. A major difficulty in quantum computation is that the process of observation, 
or measurement, of the state of the quantum computer may, according to the laws of quantum 
mechanics, alter the state of the system at the instant of measurement. That is, measurement 
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entails a transformation of the quantum state and the result observed is the transformed state. 
The process is, however, probabilistic rather than non-deterministic. For instance if the quantum 
state is a±vi + ■ ■ ■ a m v rn , where on G C, {v t : i = 1, . . . , m} is an orthonormal basis for V and 
|ai| 2 + - ■ - + |a m | 2 = 1, then, under a standard measurement scheme, we observe Vi with probability 
\ai\ 2 . Typically in a quantum algorithm states are manipulated to change probabilities so that 
some characteristic of the output can be detected. In fact most quantum algorithms are Monte 
Carlo algorithms which have some probability of success bounded away from zero. This allows us 
to make the probability of failure of the algorithm arbitrarily small, by repetition. 



2.2. Dirac's bra ket notation and conventions for linear algebra. We refer the reader 
to |27| as standard reference for linear algebra and |37) for further details of linear operators. We 
consider only finite dimensional complex vector spaces equipped with inner products. A quantum 
state means a unit vector in such a space. A superposition means a linear combination of given 
vectors which is of unit length. An amplitude is a coefficient of a vector expressed in terms of 
some fixed basis. If we have a superposition of vectors in which all the (non-zero) amplitudes have 
equal size then we say we have a uniform superposition. These terms are all standard within the 
field of quantum computation. 

The use of ket |- ) and bra (• | to denote vectors and their duals is also standard in quantum 
mechanics. Although we do not use it heavily in this article it is a concise and manageable 
notation, once it becomes familiar, so we include a description before moving on to a detailed 
discussion of quantum computation. 

A vector, with label is written using the ket notation as \ip). For instance, if A is a set then 
{|a;) : x £ X} denotes an orthonormal basis for CX, with the usual inner product. Also, if V is 
an m-dimensional inner product space then we write {|0) , . . . \m — 1)} to denote an orthonormal 
basis of V. Our convention, which seems to be the standard in quantum mechanics, is that the 
inner product on V is linear in the second variable and conjugate-linear in the first variable. Using 
the bra-ket notation we write the inner product of (\x) , \y)) £ V x V as (x\y). If W is also an inner 
product space and T is a linear operator from V to W then (x\T\y) denotes the inner product of 
(|x) , T(\y)), where x £ W and y £ V (and the inner product is that of W). There is an immediate 
pay-off to the use of this notation as follows. If V has orthonormal basis {|t>i) , . . . , \v m }} and W 
has orthonormal basis {\wi} , . . . , \w n )} then the matrix of T with respect to these bases is easily 
seen to have (ij')th entry (wi\T\vj). 

Given T as above we write for the adjoint of T: that is the unique linear operator T' from W 
to V such that <T+ (|rt;> ) |y) = (x\T\y) (where the inner product on the left hand side is that of V). 
If A is the matrix of T then the matrix of T> is the conjugate transpose of A and is also denoted 
A* . A linear operator T is unitary if T'T = I = TT\ 

We may regard a vector \x) £ V as a linear operator from C to V, taking 1 to \x). Then the 
dual of |x) is \x) , the linear functional taking \y) to (x\y). Using bra notation, we write (x\ for 
\x) and then (x\ (\y)) = (x\y). To reconcile this with the more familiar row and column notation 
for vectors and their duals, suppose that \x) and \y) are the column vectors (1, i, 2 — i) T and 
(2i, l + i, 1) T , respectively. Then \x) is (1, —i, 2 + i) and so 

(x\ (\y)) = (1, -i, 2 + i)(2i, 1 + i, if = 3 + 2z = ((1, i, 2 - z) T , (2i, 1 + i, if) = (x\y) . 

Continuing in the spirit of this example, suppose V and W have orthonormal bases {fi,!^,^} 
and {w\,W2}, respectively, with respect to which \x) = (ai,a2,a^f and \y) — (6i,£>2) T - Then 
we can evaluate the outer, or tensor, product of |x) and \y) which is given by (aj., a2, a3) T (6i, 62). 
This is the 3x2 matrix with (i,j)th entry aibj = (vi\x) (y\wj). This suggests that if V and W 
are vector spaces, x £ W and y £ V, then \x) (y\ be defined as the linear operator from V to W 
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given the rule 

\ x )(y\ O)) = \ x ) (y\ v ) = (y\ v ) \ x ) , for v e v, 

that is, \x)(y\ is the tensor product of \x) and In fact \x)(y\ G ® V, where denotes the 
dual space of W. 

We may also regard \x)(y\ as the bilinear map V x — > C which sends |v)(to| to 

For example CZ2 has basis {|0) , |1)} and |0)(1| is the linear operator sending |1) to |0) and |0) to 
the zero vector 0. If we identify |0) and |1) with (1,0) T and (0, 1) T , respectively, then this linear 
operator has matrix 




The Dirac notation for the transformation is more concise than the matrix representation. In fact 
the size of matrices required to describe linear maps grows exponentially in the number of qubits 
of the quantum computer. 

As another example, the quantum NOT gate can be written as 

|0>(1| + |1>(0|. 

Tensor products of vector spaces are always over C. If \v) G V and \w) G W then \v) <g> \w) 
may be written as either \v) \w) or as \vw) and we use all these notations interchangeably, as 
convenient. Moreover this notation extends to n-fold tensor products in the obvious way. For 
example the tensor product CZ2 <S> CZ2 is a 4-dimensional vector space with basis consisting of 
1 00} , |01), 1 10) and |11). More generally CZf n is 2™ dimensional and has a basis consisting of 
1 - - - 0) , . . . , 1 1 • - - 1) , which we can write as |0) , . . . , |2" — 1), by identifying (i ■ ■ ■ i n -\) G TL^ with 
the integer 2"~ 1 i x • • • x 2°i n _i; that is, by regarding elements of as binary expansions of 
integers. 

Note that if M and N are complex inner product spaces then M <E> N can be made into an inner 
product space by defining the inner product of a ® b with c ® d as (a (g) b\c ® d) = (a, c) (6, d) . Thus 
if Xi, yt G Vi and \x) — \x\ ■ ■ ■ x n ) and \y) — \y\ - ■■ y n ) are elements of an n-fold tensor product 
®i=iVi, then 

n 

(2.1) (x\y} = H(x i \y i ). 

i=l 

In particular if V = CZf n and \x) and \y) are elements of Z2 then 

n 

(2-2) (x\y) =l[6 XiVi , 

i=l 

where Sij is the Kronecker delta. 

Suppose that : V\ — > V2 and (f> : W\ — > W2 are linear transformations. Then 9 ® <p is a linear 
transformation of VI ® Wi — ► ® W2. Suppose that A and -B are the matrices of 9 and <p with 
respect to some fixed bases of Vi and Wi, i = 1,2. These bases induce bases of Vi (E) and 
V2 ® Wi in a natural way: if v and w are basis vectors of V\ and W\, respectively, then v ® «; is a 
basis vector of V ® W. We adopt the convention that these natural induced bases are ordered so 
that the matrix A £g) B of 9 ® 4> is the n^/it Kronecker product 

I a n B ■ ■ ■ a lm B \ 
\ OniS • • • a nm B J 

of A and S. 
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2.3. The postulates of quantum mechanics. We shall now describe more thoroughly 
how the physical laws of quantum mechanics give rise to a model of quantum computation and 
establish a framework within which the theory of quantum computation may be developed. Our 
account is taken largely from |45| . where further details may be found. 

A quantum computer consists of a quantum mechanical system, necessarily isolated from the 
surrounding environment, so that its behaviour may be externally controlled and is not disturbed 
by events unrelated to the control procedures. The following postulates provide a model for such 
a system. Discussion of whether this is the best or correct model of quantum mechanics is outside 
the scope of this article. 

Postulate 1: Quantum mechanical systems 

Associated to an isolated quantum mechanical system is a complex inner product space 
V. The state of the system at any time is described by a unit vector in V. 

As we are concerned with computation using limited resources we consider only finite dimensional 
systems. The basic system we shall consider is the 2-dimensional space CZ2 with basis {|0) , |1)}, 
known as a single qubit system. A state of a single qubit system is a vector a |0) + j3 where 
|a| 2 + \j3\ 2 = 1. If neither a nor (3 is zero the state is called a superposition. For example, 
(|0) + |1)) /\/2 is a superposition, which is also uniform. 

We may also consider the n-dimensional space CZ„ with basis {|0) , . . . , \n ~ 1)} as a basic quan- 
tum system. However it seems likely that physical implementations of quantum computers will 
normally be restricted to systems built up from qubits. We defer consideration of more complex 
systems until after Postulate 0J 

Next we consider how transformation of the system from one state to another may be realised: 
that is how to program the computer. 

Postulate 2: Evolution 

Evolution of an isolated quantum mechanical system is described by unitary transforma- 
tions. The states and \x>2) of the system at times t\ and £2, respectively, are related 
by a unitary transformation 0, which depends only on t\ and £2, such that = \v-2). 

In the case of quantum computing evolution takes place at discrete intervals of time, finitely often, 
so evolution of the system is governed by a finite sequence of unitary transformations. In the 
classical setting, elementary computable functions are commonly referred to as gates. Analogously, 
certain basic unitary transformations of a complex vector space are referred to as quantum gates. 
In this article, since we do not wish to become involved in discussion of the technical details of 
implementation of unitary transformations on a quantum computer, we shall refer to any unitary 
transformation as a gate. 

Postulate 3: Measurement 

A measurement of a quantum system consists of a set {M m : m = 1, . . . , k} of linear 
operators on V, such that 



k 



(2.3) 




m— 1 



The measurement result is one of the indices m. If V is in state \v) then the probability 
that m observed is 



p(m) = (v\MlM m \v) = (M m (\v))\M m \v)) . 



If m is observed then the state of V is transformed from v to 



M m \v) 
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Observe that i|2.3[l implies that p is a probability measure as 

k k 



E I'M = E ( V \ M m M m\ v ) = W\V) = 1. 



m—1 m—1 



We usually restrict attention to the special case of measurement where M m is self-adjoint and 
= M m , for all m, and M m M n = 0, when m ^= n. Such measurements are called projective 
measurements. In the case of projective measurement there are mutually orthogonal subspaces 
Pi, . . . , Pk of V such that V — J2 m ^ m an d M m — J2i f° r some orthonormal basis : i = 

0, . . . , d m — 1} of P m . That is M m is projection onto P m . It turns out, as shown in [45] that, with 
the use of Postulates |21 and 0] measurements of the type described in Postulate [3| can be achieved 
using only projective measurements. 

In fact most measurements we make will be of the form {M m = \m)(m\ : m = 0, ...,n — 1}, 
where V is n-dimensional and the basis used to describe the state vector and evolution of V is 
{|m) : m = 0, . . . , n — 1} . These are called measurements with respect to the computational basis. 
In this article all measurements are taken with respect to the computational basis, unless they're 
explicitly defined. 

For example suppose we have a single qubit system in state Q = a |0) + b |1), where \a\ 2 + \b\ 2 = 1. 
If we observe Q with respect to the computational basis we obtain with probability (Q|0) (0| Q) = 
| ct | 2 and 1 with probability (Q|l) (1| Q) = \b\ 2 . The quantum system enters the state 



if 1 is measured. It turns out, as we'll see in Section |2jH that these factors, a/\a\ and b/\b\, of 
modulus 1 can be ignored and we can assume that the system is either in state |0) or |1) after 
measurement. Note that if i was measured then further measurements in the computational basis 
will result in i with probability 1. 

We shall write 



for the probability that a is observed when a register containing \ip) is measured with a measure- 
ment M. 

We shall often abuse notation by saying that M m \ v) is observed when we mean that m is observed, 
as the result of a measurement. In particular, when measuring with respect to the computational 
basis it's often convenient to say that \x) , instead of x, has been observed. This abuse extends to 
the notation for the probability that m is observed. 

We now consider how single qubit systems may be put together to build larger systems. 

Postulate 4: Composite systems 

Given quantum mechanical systems associated to vector spaces V and W there is a 
composite quantum mechanical system associated to V ® W. 

By induction this extends to composites of any finite number of systems. The composite of 2 
single qubit systems is CZ2 <8> CZ2, a 4-dimensional space with basis vectors |00),|01), |10),|11). 
We call this a 2-qubit system or 2-qubit quantum register. Similarly an n-qubit system or quantum 
register is a copy of the 2™-dimensional space CZf", which, as described in Section l2~2l has basis 
{\i) : i = 0, . . . , 2 n — 1}. We shall by default assume that n-qubit system is equipped with this 
standard basis; and immediately introduce an exception. Given an m-qubit system V m and an 



iq) (gig) 

\a\ 




if is measured and 



\m\o) 

\b\ 



Pm{\^) 
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n-qubit system V n , we may form the mn-qubit system V m ® V n , which is naturally equipped with 
the basis {\ij) : i = 0, .. . , 2 m - l,j = 0, . . . , 2" - 1}. 

An n-qubit system is the quantum analogue of the classical n-bit computer. Note that whereas 
n-bits can contain, at any one time, one of 2™ possible values, a quantum computer can be in a 
superposition of all of these values, in principle in infinitely many different ways. This completes 
our description of quantum mechanical systems. We shall investigate some of the consequences in 
the next few sections. 

2.4. Phase factors. Suppose that we have measurement {M m : m = 1, . . . , k} of an n-qubit 
system. The probability that m is observed when the system is in state \x) is then 

p(m,\x}) = (x\MlM m \x) 

= (e ie x\MlM m \e ie x) 
= p(m,e* e \x)), 

for any real number 9. We call a complex number of modulus 1 a phase factor. Therefore, as 
far as the probabilities of what is observed are concerned, multiplication by a phase factor has no 
effect. 

Also, T(e lB \x)) = e l8 T\x), for any linear transformation T. Hence, if the system starts in state 
\x) and after evolution or measurement (or both) its final state is \y) then we can say that starting 
in state e l6 \x) the final state is e l8 \y). 

Therefore the introduction of the phase factor e tS is essentially invisible to the quantum computer. 
Consequently we regard the states \x) and e 10 \x) as the same state. We now see that after a 
measurement in the computational basis, as in Section 12.21 we may assume that the quantum 
system projects to a basis vector of the system (with coefficient 1). 

Note that what we have said about phase factors applies only to scalar multiples of the entire unit 
vector which comprises the state. Altering individual coefficients of a state by a phase factor may 
indeed change the state. For example z(|0) + |f))/v / 2 and (|0) + \\))/^/2 both correspond to the 
same state of a quantum system but are not the same as (|0) + i |l))/\/2- 

2.5. Multiple measurements. We'll often have cause to employ more than one measure- 
ment as part of a single algorithm. One obvious question is whether or not applying first one 
measurement and then a second is equivalent to applying a single measurement. The answer is yes, 
and the single measurement is the obvious one, as we shall now see. Let M = {M m : m = 1, . . . , k} 
and N = {N n : n = 1, . . . , 1} be measurements. Then, from the definition of measurement, we 
have 

(M m N n ) j (M m N n ) = NlMlM m N n = ^ M^M m )^„ = £ NllN n = I. 

m,n m.n n rn n 

Therefore L — {Lr ntm \ — M m N n : m = 1, . . . , k, n = 1, . . . , 1} is a measurement. 

We claim that measurement using N followed by measurement using M is equivalent to measure- 
ment using L. Suppose then that our system is in state \x) and that we first measure using N. 
Then the probability of observing n is 

p N {n) = (x\NlN n \x) 

and, if n is observed, the system will then be in state 

\ PN(n) 
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Now, with the system in state \y), making a measurement using M the probability of observing 
m is 

p M {m) = (y\MlM m \y) = (x\NlMlM m N n \x) 

VN\n) 

and, if m is observed, the system will be in state 

= M m \y) = M m N n \x) 

y/PM(m) y/PM(m)y/p N (n) 

Hence the probability of measuring n and then m, or (n, m), is 

PN(n) PM (m) = (x\NlMlM m N n \x) 

which is, by definition, the probability pi,(n,m) of observing (n, m) using L. Also, if (n, m) is 
observed using L then the system will be in state 

M m N n \x) = 

y/PL{n,m) 

Therefore measurement using L is equivalent to measurement using N then M. 

2.6. Distinguishing states. In classical computation it is reasonable to assume that if we 
have a register which may take one of two distinct values then we can tell which of these values 
the register contains. One consequence of the measurement postulate is that this is not always 
the case in quantum computation. In fact we can tell apart orthogonal states but we cannot tell 
apart states which are not orthogonal. 

Following 45], to see that we can't distinguish non-orthogonal states, assume that we have a 
quantum system which we know contains either the state or the state \1jj2), and that we 
know what both of these states are. If \ip\) and are not orthogonal then we can write 
^2) = Cfc|?/>i) + (3\0), for some unit vector \0) orthonormal to and a, (3 G C, with a ^ 
and so < 1. Now assume that we have a measurement {M m : m = l,...,k} with which 
we can distinguish between \ipi) and \ipi}. That is to say we have sets Si and S 2 such that 
{1, . . . , k} = Si U S2, where Si n S2 = an d we observe m G Si if and only if the system is in 
state (before the measurement). 

If we define E l = J2 m <£S t M^Mm, for i = 1,2, then 

(2.4) (ipi\Ei\iPi) = 1, for i = 1,2, 

since the probability of observing m G £» is 1 if the system is in state \tpi}- Also, Ei + E 2 = I so 
(ipi\E 1 + E 2 \tlJi) = 1, for i = 1,2, which implies that 

As M^Mjn is a positive operator (see |37j . for example) so is Ei and so \/E~i is defined (and is a 
self-adjoint). We now have 

W-iIWi) = (V>i|/E^/E^i) = 0, 

so ViS |V>i) = 0. This implies that y/E% \ip 2 ) = VE~2~(a \tpi) + (3 \6)) = (3^/E^\9) so 

(HEM = \(3\ 2 (6\E 2 \9) <\f3\ 2 <1, 
contrary to (|2.4(l (where the first inequality follows from l|2.H|l .l 

The conclusion is that there is no such measurement. On the other hand, suppose we start 
with known states , . . . , \tpk) which are pairwise orthogonal. To see that we can distinguish 
between them define a measurement {M m : m = 0, . . . ,k}, where M m = \ipi)(i/ji\, m > 1, and 
Mo = I — ^2 m= i M m . Then, if the system is in state \ipi) the probability of measuring i is 
ipi\Mj Mi\Tpi^j = 1. Thus, given that we know the system is in one of these k states, this 
measurement allows us to determine which one. 
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2.7. No cloning. Many classical algorithms make use of a copy function which replicates, or 
clones, the contents of a given register, whatever they happen to be. This can be achieved using 
the classical conditional not gate, CNOT, as follows. Suppose we have a 1-bit register, that is a 
copy of Z2, and we wish to copy its contents. Define the function CNOT from Z2 (J) 1* 2 to itself 
by CNOT(a;, y) = (x, x © y), where ffi denotes addition modulo 2. To our 1-bit register we adjoin 
a second 1-bit register in state 0: so if the first register is in state x we now have a 2-bit register, 
that is Z2 @Z2, in state (x, 0). Applying the conditional not function to this register we obtain 

CNOT(x,0) = {x,x). 

Both the first and second 1-bit registers now contain the original contents of the first register. 
This process easily generalises to allow copying of ro-bit registers. 

The question is whether we can do the same thing on a quantum computer. This would mean, 
given an n-qubit register V , finding some fixed state |s) of V and a unitary transformation U of 

V © V such that 

(2.5) U \x) \s) = \x) \x) , for all x G V. 

It turns out that, as a consequence of the following lemma, this is impossible. 

Lemma 2.1. Let \x\) and \x 2 ) be distinct unit vectors in V and let T be a unitary transformation 
of V ®V . If there is a unit vector \s) £ V such that T \xi) \s) = \xi) \xj), for i = 1 and 2, then 
\x±) and \x 2 ) are orthogonal. 

Proof. Since T is unitary we have 

(xis\x 2 s) = (xis\T*T\x2s) = (xixi \x 2 x 2 ) ■ 

That is, using l|2.ip. 

(xi\x 2 ) = (xi\x 2 ) (s\s) = {(xi\x 2 )) 2 , 
so (xi\x 2 ) = or 1. As \xi) \x 2 ), and and \x 2 ) are unit vectors, it follows from the 
Cauchy-Schwarz inequality that and \x 2 ) are orthogonal, as required. □ 

Now let U be a unitary transformation of V © V and, for a fixed \s) S V, set R = {\x) G 

V : U\x) \s) = \x) \x)}. The dimension of V is 2™ so it follows, from the lemma above, that 
\R\ < 2™. This applies to any unitary transformation U and any \s) £ V, so there can be no U 
satisfying 1)2.5(1 . Moreover we can copy at most 2" fixed, predetermined states, but they must be 
orthonormal. In fact, given a set {\xi) : i = 1, . . . , 2™} of 2" orthonormal vectors of V, we have a 
set {\xi) \s) : i = 1, . . . , 2™} of 2™ orthonormal vectors of V © V. We can extend this set to a basis 
of V © V. Since {\xi) \xi) : i = 1, . . . , 2™} can also be extended to a basis of V © V, we may define 
a unitary transformation of V © V which maps \xi) \s) to \xi) \xt), for all i. Hence we may copy 
up to 2™ fixed orthonormal states. 

In a classical probabilistic algorithm we may repeat a calculation a fixed number of times (in 
order to have a high probability of success) by first copying the input and then performing the 
calculation on each copy. However on a quantum computer, due to the fact that we cannot copy 
arbitrary states, to repeat the calculation we must repeat the entire algorithm. 

2.8. Entangled states. Let x € V © W. Then x is said to be disentangled if there exist 
v € V and w £ W such that x = v © w. Otherwise x is said to be entangled. The definition 
extends in the obvious way to n-fold tensor products. An entangled unit vector of an ro-qubit 
system is called an entangled state. For example, 1 00) + |11) is an entangled state. In fact, if there 
exist a,b,c,d £ C such that 

|00) + |11) = (a|0)+6|l))©(c|0)+d|l)) 

= ac|00) + 6cjl0) + ad|01> + 6d|ll), 

then be = ad = and ac — bd — 1, which is impossible. 
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Entangled states play an important role in quantum teleportation and in super-dense coding. For 
details of these applications see, for example, |45| or [S]. 

2.9. Observing multiple qubit systems. A quantum algorithm may use different parts 
of its register for different purposes and so it is often convenient to view a quantum system 
as a composite of sub-systems. This amounts to decomposing the vector space comprising the 
system into a tensor product of vector sub-spaces. The purpose of doing this is usually so that 
measurement may be taken on one part of the system but not the other. We now consider how 
this may be arranged. 

Suppose that the mn-qubit system V is the tensor product of m and n-qubit systems Q and R, 
respectively. Assume that we have measurements M = {M a : a = 1, . . . , k} and N = {N b : b = 
1, . . . , 1} of Q and R. Then we may define measurements M = {M a = M a ® J : a = 1, . . . ,k} 
and N = {N b = I ® N b : b — 1, . . . ,1} of Q <£> R. As in Section 12.51 we obtain a measurement 
Lab = {M a N b : a = l,...,k,b = 1, . . ./}. This time we have M a N b = (M a ® I) (I ® N b ) = 
(I (g> N b )(M a ® I) = N b M a , for all a, b. Therefore, as in Section fTJ\ measurement with N followed 
by M is equivalent to measurement with L and, in addition, the same is true of measurement with 
M followed by N. We call a measurement M induced in this way from a measurement on Q a 
measurement of register Q and say that a is observed in register Q. 

Example 2.2. Suppose that we have a 2-qubit system V = CZ 2 <8> CZ 2 and Q = R = CZ 2 
and we have measurements M — {Mo, Mi} and N — {No,N\}, where Mi = Ni = \i){i\. Then 
Mi = \i)(i\ ® /, Nj = I ® \j)(j\ and L y = \i)(i\ ® Consider the state 

|V) =a|00)+6|01)+c|10)+d|ll). 

where \a\ 2 + \b\ 2 + |c| 2 + |<i| 2 = 1. To see what happens if we measure with M we may rewrite 
as 

|0) ®(o|0) + 6|l)) + |1) ® (c|0) + d|l)). 
Then it's clear that M \ip) = |0) ® (a |0) + b and Mi |t/>) = |1) <E> (c |0) + d |1)). Hence 
Pm(IV>) - 0) = |a| 2 + |6| 2 = U 2 and p A (|V») 1) = |c| 2 + \d\ 2 = v 2 , 

where u, v > 0. 

Observations of or 1 in register Q will therefore result in the quantum state 
|Q) ® | - |0> + - |1) ] or II) O ( - 10) + - II) ) respectively. 

\U U J \V V J 

Similarly, if w, x > are such that w 2 = \a\ 2 + |c| 2 and x 2 = \b\ 2 + \d\ 2 then measuring V with N 
the probabilities of observing and 1 in register R are 

Philip) -> 0) = w 2 and Pjv(IV) 1) = x 2 . 
If or 1 is observed in register R then the resulting quantum state is 

(- 10) + - II)) ® |0) or f - |0) + - |1) ) ® |1) respectively. 

\w w / \a; a; / 

We now consider the effect of measurements in registers Q and R on a disentangled state |xy) = 
\x) (8) |y), where |x) G Q and |y) G R. We shall see that in this case the probabilities of observing a 
in register Q or b in register R are independent. We have M\M a = M\M a ® I so the probability 
of observing a if we measure V with M is 

p A (\xy) -y a) = (xy\AQM a \xv) = { x ® vW\M a ® 7|a; y> = (a;|MtM |x) (y|y) . 
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Since \xy) is a unit vector we may assume that \x) and \y) are unit vectors, by writing 



\xy)V tf/ l|s>ll|y>r 

if necessary. Hence (y\y) = 1 and 

Pm(\ x v) ->a) = ( x \ M l M a\x) = Pm{\x) -> a), 
the probability that a is observed if Q is measured with M. Similarly 

Pn(\ x V) -> b ) =Pn{\v) b) 

the probability that b is observed if R is measured with TV. The probability of observing both a 
in register Q and b in register R when V is in state \xy) is 

PL {ab) = (xy\Ll b L ab \xyj = (x® y\M\M a <g> N f b N b \x ® p 

= (x|MtM Q ) (tfl^ltf) 

Hence (\xy) — > a) and p^(\xy) — > &) are independent. 

Example 2.3. With V, Q, R, M and N as in the previous example, let |x) = a |0) + (3 |1) and 
\y) = 7 |0) + S |1>, where where |a| 2 + |/3| 2 = 1 and | 7 | 2 + |(5| 2 = 1. Then 

|as) <E> \y) = a 7 |00) + ad\0l) + f3j\W) + /3S\11). 

Hence 

Pm(0) = |(«7)| 2 + l«^| 2 and p^(0) = |(a 7 )| 2 + l/?7| 2 , 

while 

Pl(00) = |a 7 | 2 . 

Hence 

Pm(0W(0) = |a 7 | 2 (|a 7 | 2 + |/3 7 | 2 + \aS\ 2 + \(35\ 2 ) = |a 7 | 2 = p L (00). 



On the other hand, in general, the measurements of individual registers do not have independent 
probabilities. To sec this consider the entangled state ( 1 00) + 1 1 1) ) / v2 in the system of the previous 
example. Measuring in register Q we observe either or 1, each with a probability of 1/2. The 
same holds for register R. If these probabilities are independent then the probability of observing 
00 should be 1/4. However, it's easy to see that the probability of observing 00 is also 1/2. In 
fact after the first measurement the system projects to one of the states 1 00) or |11). Measuring 
the former we observe 00 with probability 1 and 11 with probability 0. 

The above example illustrates the fact that if \ip) is disentangled then probabilities of observing 
a in register Q and b in register R are independent, where \a) and |6) range over basis vectors of 
Q and R. The converse is not true. For example take \ip) = [|00) + |01) + |10) - |ll)]/2. The 
probability pv>(a) of observing a in register Q is 1/2, as is the probabilty Pfj{b) of observing b 
in register R, for all a and b in {0,1}. As the probabilty pL(ab) of observing \ab) is 1/4, the 
probabilities p^ andp^ are independent. However \tp) is entangled. 



2.10. Quantum parallelism. We develop here the notion of parallel quantum computation 
which we touched on briefly in Section [bTTI A basic tool in the operation of this scheme is the 
family of functions we describe next. 
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The single qubit Walsh-Hadamard transformation is the unitary operator W on a single qubit 
system given by 



(2.6) 



W(|0)) = - 7 =(|0) + |1)) and 
W(|1» = -^(|0>-|1». 



We can express W more concisely by writing 



w(ix)) = - 7 =(|o) + (-ini)) 



■4E(- 1 ) to i*> 

VZ fc=0 



It is easy to see by direct calculation that W is an involution, that is W 2 = /2- Moreover, if we 
ignore the complex coefficients W is reflection in the line which makes an angle of it/ 8 with the 
|0)-axis. 

The n-bit Walsh-Hadamard transformation W n is defined to be W® n . As W is an involution we 
have W% = lf n = /2», so W n is also an involution. Applied to 10)®", W n generates a uniform 
linear combination of the integers from to 2" — 1, i.e. 

«o-o>) = 4=eV 

v x—1 



For example, 



W 2 |00) = (W®W0(|0>®|0» 
= VK|0)®VF|0) 

1 



((|0) + |1))®(|0) + |1))) 



(|o) ® |o) + |o) ® |i) ^ 

(|00) + |01) + 1 10) 



|1)®|0) + |1) 

■111))- 



®ll)) 



This generalises in the obvious way to W n and allows us, starting with the simple basis state 
1 • - - 0) , to prepare a uniform superposition of all basis vectors. 

For computation a more concise notation is convenient and to this end we define the following 
notation. Let \x) and \y) be basis vectors in an n-qubit system, where x and y are n-bit binary 
integers. Define 

n-l 

x-y=} j Xiyi. 

i=0 

(Note that this is not the inner product of \x) and \y) (see page|SJ). It extends to a symmetric 
bilinear form on |a;) and \y) regarded as vectors in a 2™ -dimensional space over However it 
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may be zero when \x) and \y) are both non-zero.) Now, setting m = 2 n , we have 



n-l 

W n \x) = Q$W \xi 

i=0 

n-l , 1 



-4£(-i)*-|*«> 

. „ v ^ ki=0 

= it - E (-ir ofco ---(-i) x "- ifc "- i ifco---fc„-i) 

* k Q =0 fc n -l=0 
1 m— 1 

= TP E (- 1 ) xofeo • ■ • (-lr- 1 *- 1 ifco ■ • ■ fc„_i) 

ko---k n — i— 
rn— 1 

(2-7) =^E(- i r- fe | fc >- 

The Walsh-Hadamard functions allow us to prepare the input to parallel computations. Now we 
consider the computations themselves. Let / : Z™ -> Z* be a function, not necessarily invertible. 
As we're not assuming that / is invertible we cannot use it, as it is, as a transformation in a 
quantum computer. However, at the expense of introducing some extra storage space we can 
devise a unitary transformation to simulate /. We require a quantum system V which is the 
tensor product of an m-qubit quantum system with a fc-qubit quantum system. Recall that V 
has basis consisting of the vectors \x) <g) |y), where x and y are binary representations of integers 
in {0, . . . , 2 rn — 1} = Z™ and {0, . . . , 2 fe — 1} = respectively. Define the linear transformation 

U f : \x)®\y) h+ |a;) <8 \y 8 f{x)) , 

where denotes addition in the group Z§ (known as "bitwise exclusive OR" in the literature). For 
fixed x, we see that y © f(x) takes every value in Zj exactly once, as y varies over {0, . . . , 2 k — 1}. 
Therefore Uf simply permutes all 2 m+k basis elements of V and it follows that it is unitary. 
Moreover Uf(\x) ® |0)) = \x) (g> |/(a;)) and in this sense Uf simulates /. The map Uf is referred 
to as the standard oracle for the function /. The standard oracle may thus be used to simulate 
any function, invertible or not, on a quantum computer. It follows that any function which may 
be carried out by a classical computer may also be carried out by a quantum computer. 

In the case where / is a bijection, and only in this case, we can define the simpler and more 
obvious oracle \x) — * \f(x)). This is called the minimal or erasing oracle for /. Its relation to the 
standard oracle is considered in !.'{(>■ . Furthermore, in [J a problem is given in which a minimal 
oracle is shown to be exponentially more powerful than a standard oracle.) The form of Uf above 
may seem strange, but in fact it originates in classical reversible computing and has been adapted 
for the purposes of quantum computing. See |39) for more details of reversible computing. 



If we apply Uf to 
we obtain 



W m (\0f m )® |0) 



x=0 / v x=0 

-l 



1 



E I s ) ® i/o*)) • 



v x=0 

We can view this as a simultaneous computation of / on all possible values of x, although the 
fact that |/(x)) is associated with the state \x), for all x, may sometimes be a problem. Creation 
of this kind of state is often referred to as quantum parallelism and is an easy and standard first 
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H 



|0)®|1) -|3)®|2) 
Figure 1. Basis states. 




x 



(W|0))®|0) 

Figure 2. A uniform superposition in the first register 




U } {{W\Q))®\Q)) 
Figure 3. A quantum state corresponding to the graph of / 

step in many quantum computations. The tricky part is to glean useful information from this 
(extremely entangled) output state. 

Example 2.4. Suppose that m = k = 2, so that Zf = 7L\ = 7L\ = {0, . . . ,3}. Let / be the 
function defined by /(0) = 1, /(l) = 2, /(2) = and /(3) = 3. The quantum system V is the 
tensor product CZ| <g> CZ| and has basis {\x) ® |y) : < x, y < 3}. We can represent the elements 
of this basis on a 3 x 3 grid, with x indexing the horizontal squares and y the vertical ones. For 
many of the algorithms we consider, the quantum state is always in a uniform superposition of 
an r-element subset of the set of basis elements, with phase (coefficient) ±l/y/r. We represent 
such states by using a black square for a coefficient of l/y/r, a grey square for a coefficient of 
— l/^/r and a white square for a coefficient of 0. For example, a basis state is represented by a 
single square as in FigureHand the state (W |0)) ® |0) is represented as in FigureEl If we apply 
Uf to this state we obtain the state shown in Figure 03 which can be considered as a uniform 
superposition over all of the points of the graph of /. 

It's useful, as an exercise, to calculate Uf applied to (W |0)) <£> |1), (W |0)) ® |2) and (W |0)) ® |3) 
in turn, to understand how Uf is constructed, and why it is reversible. In fact, Uf is always an 
involution (i.e. UfoUf — I), regardless of what / is. 

Example 2.5. Pictures of the quantum system, as in the previous example, can also be used 
to help understand measurements of quantum states, and how they relate to entanglement. All 
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register 1 



Figure 4. A disentangled state 



measurements are taken with respect to the computational basis (see Section l2~3Tl . A disentangled 
state such as, for example, 

|2>®-i=(|0) + |l) + |3» 

looks the same in every nonzero column (up to phase), so measuring the first register (which 
always results in 2) doesn't affect the distribution of non-zero coefficients in the second register 
(see Figure 0J. On the other hand, if we have an entangled state such as, for example, 



1 



^g(|0>®|0) 



|0) ® \2) - |2) ® |1) + |2) ® |2) - |2) <g> |3) + |3) <8> |3)) 



we can see directly from Figure how measurements of the first register affect the distribution on 
the second. If we observe in the first register, then there is a probability of 1/2 of observing 



Register 1 

Probability of observing x 



: 




Figure 5 . Measurement of an entangled state 



in the second register, and a probability of 1/2 of observing 2. If we observe 2 in the first register 
then we have probabilities of 1/3 of observing either 2, 3 or 4 and if we observe 3 in the first 
register then we observe 3 with certainty in the second register. 



Some care is required in the interpretation of these diagrams. For example, the diagram of the 
entangled state 1 00) — |01) — 1 10) + |11) will suggest different results in the second register after 
measurement of the first register: depending on whether or 1 is observed. However these results 
differ only by a phase factor (of —1) so are, in fact, the same. 
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3. The Deutsch Jozsa algorithm 



3.1. Oracles and query complexity. Deutsch |14| was the first to show that a speed-up 
in complexity is possible when passing from classical to quantum computations. It is important 
to understand that the complexity referred to is query complexity. The idea is that we have a 
"black box" or "oracle" , as described in Section I2.1UI which evaluates some function (classically 
this would be a function on integers, but in the quantum scenario we allow evaluations on complex 
vectors). Query complexity simply addresses how many times we have to ask the oracle to evaluate 
the function on some input, in order to determine some property of /. It ignores how many 
quantum gates we require to actually implement the function. For a genuine upper bound on time 
complexity we must demonstrate efficient implementation of the oracle. For example, this is the 
case in Shor's algorithm in the next section where we show that the quantum Fourier transform 
can be implemented using a number of gates logarithmic in the size of the input. 

Again, a lower bound on the query complexity of a given algorithm, with respect to a specific 
oracle, does not necessarily give a lower bound on time complexity of the algorithm. This is 
because we know nothing about the operation of the oracle: if we knew how the oracle worked 
then perhaps we could see how to do without it. Within the context of query complexity (relative to 
a specific oracle) many quantum algorithms have been proved to be more efficient than any classical 
counterpart. However, so far, not a single instance exists where we can say the same about true 
time complexity. To do so would usually require a lower bound on the classical complexity of a 
given problem and this often brings us up against difficult open problems in classical complexity 
theory. For example, Shor's algorithm is a (non-deterministic) quantum algorithm for factoring 
integers. Although no classical polynomial time algorithm is known for this problem, whether or 
not such an algorithm exists is an open question. 

Given two functions / and g from N to 1 we say that f = 0(g) if there exist constants c, k £ M. 
such that |/(n)| < c\g{n)\ + k, for all n S N. We also say that / = fl(g) if g = 0(f). Thus O is 
used to describe upper bounds and £1 to describe lower bounds. 

3.2. The single qubit case of Deutsch's algorithm. The unitary maps involved in quan- 
tum computing can often be represented pictorially via quantum circuit diagrams. An operator U 
on a single quantum register is represented as in Figure El We also draw gates for operators on 



two or more quantum registers: the set-up for quantum parallelism as described in Section [2.101 
is shown in Figure A similar circuit is shown in Figure |S] Here an additional Walsh-Hadamard 



x 



U 



Ux 



Figure 6. A single-qubit gate 



to qubits 



|0) 



w 



x 



x 




2 m -l 



10} 



Uf 

y y®f(x) 



k qubits 



Figure 7. The circuit for quantum parallelism 
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gate operates on the second register, transforming its contents into a uniform superposition, before 
entering the Uf gate. 



m qubits 



|0) 



10) 





w 




X X 

Uf 

y y®f{x) 














w 









k qubits 

Figure 8. An insensitive quantum circuit 



Computing the final state of this system we have 

1 



|0) ® |0> 



W0W 



2 m -l 2 K -1 

v 



x=0 y=0 



1 



2™-l 2-1 



1 



E J2 l*>® !»©/(*)) 



x=0 y=0 
2 m -l 2 k -l 



y , 

^2 m + k — ' — ' 



x) (g) 



x=0 y=0 

because y ® f(x) takes each possible value exactly once, as y ranges over {0, . . . , 2 k — 1}. This 
computation can certainly not be used to gain any information about /, because its final state 
is the same, whatever / is. However, Deutsch showed that, with k = 1, if we alter input to the 
second register to |1) then we can obtain some information on the nature of /. 

Deutsch's algorithm concerns functions / : {0,1} — > {0,1}. We call such a function constant if 
/(0) = /(l) and balanced if /(0) 7^ /(I)- Given such a function suppose that we wish to determine 
whether / is constant or balanced (it must be one or the other). Classically, this requires two 
evaluations of /. Let Uf be the standard oracle for / (see Section ILi.lUp . We shall show that a 
quantum computer only needs a single evaluation of the oracle to determine whether / is constant 
or balanced (with certainty). The quantum circuit for the algorithm is shown in Figure^] After 



1 qubit 



10) 
|1) 



w 








w 





y y®f(x) 



w 



1 qubit 

Figure 9. The quantum circuit for Deutsch's algorithm 
passing through the Walsh-Hadamard gates, the registers are in the state 

'm + \i)\^f\o)-\i) 



(W®W)(|0)(8|1)) = 



V2 



V2 
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Now, if x S {0, 1}, we have 

|0)-|1)\\ _ , .(\Q®f{x))-\l®f{x)) 



Uf \x) 



V2 J J \ V2 



V2 VI |!)-|0) if/(s) = l 

= ( -i)/(.)|x> 8 (J!S^) 



Therefore, by linearity, after passing through the U / gate the system is in state 

^(-l)/(o)|o) + (-l)/W|l)^^|0)-|l) 

which is equal to 



and 



V V2 J V \/2 

± (J^>) « (MHi) ) , a / is constant , 

± (M_Jl>) , iifis balanced . 

After passing through the final Walsh-Hadamard gate, the first qubit is in state 

± |0) if / is constant 
± |1) if / is balanced 

So measuring this qubit, with respect to the computational basis, we observe with probability 1, 
if / is constant, and 1 with probability 1, if / is balanced. Since / has only been evaluated once, 
this demonstrates that quantum computers are strictly more efficient than classical computers, 
when we are referring to deterministic black box query complexity. 

In fact Deutsch's algorithm puts each of the functions in Figure in one of the two classes: 
constant or balanced. With the notation of Figure ^3 write Ui = Uf i . Then the operation of 

h 




->- 




h 

Figure 10. The four possible functions {0, 1} — > {0, 1} 

Deutsch's algorithm on each function can be pictorially represented as in Figure ITT1 

3.3. The general Deutsch Jozsa algorithm. The generalisation of the algorithm of the 
previous section to m qubits is due to Deutsch and Jozsa |15) (see also |12| for the improved 
version which we present here). A function / : CZ™ — > {0,1} is called balanced if |/ _1 (0)| = 
|/ _1 (1)| = 2 m ~ 1 . Assume we know only that / is either constant or balanced, and we that wish to 
determine which of these properties / has. Classically this requires 2 m_1 + 1 evaluations. However 
on a quantum computer it can be done with a single evaluation of an oracle. The circuit for this 
algorithm is the same as the Deutsch algorithm, apart from the number of input qubits in the first 
register, and is shown in Figure IT21 

Assume then that we have a function / : Z™ — > {0, 1} which is either balanced or constant. 
Again, we employ the standard oracle U / for /. We use a composite system with an m-qubit and 
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Figure 11. Quantum states created by Deutsch's algorithm 
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FIGURE 12. The quantum circuit for the Deutsch-Jozsa algorithm 



a 1 -qubit register. This time we begin with the basis state |0)® m |1) to which we apply W m (g> W 
to obtain the state 



v x=0 

Passing this through the Uf gate the state of the system becomes 

2 m -l 

/ 2 rr 



±= "£(-iyw\x)®w\i) 



x=0 



Ignoring the second qubit, which is the same for any function, what we have done here is to encode 
the function as the coefficients of a em single state. We shall define T>(f) to be the state 



2 m -l 



(3.1) 



a;=0 



If / is constant then applying W m to will give ± |0), and if we measure the state we will 

always observe 0. 

If / is balanced then we need to make a more careful analysis of the resulting state. In any case, 
after applying W m to V(f) we have, using l|2.7|) . 

2 m -l 2 m -l 



h E E (-i) /(a;)ffi( - y) iv) 



x=0 y=0 
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Since / is balanced the coefficient of |0) in this state is 

_l y i (-i)/w= . 

x=0 

Hence, when we measure the state we never observe 0. Thus we can distinguish between balanced 
and constant functions. 

Note that we can only create T>{f) for functions / : {0, . . . , 2 m_1 } — > {0, . . . , 2 fc ~ 1 } in the case 
where k = 1, but the general idea is that it is easier to manipulate a single register to gain 
information about a function than a register pair containing the standard 2-register functional 
superposition provided by the Ut gate. This will also apply later, in Shor's algorithm where a 
measurement of the second register puts the first register into a certain state which we work with, 
and also in Grover's algorithm, which manipulates the amplitudes of T>(f) to ensure that we have 
a high probability of observing an x for which f(x) = 1. 

In conclusion, we have exhibited a problem which takes time 0(2 m ) classically but takes time 
0(1) on a quantum computer. 

The black box query complexity speed-up is hence exponential, from the classical to quantum 
setting. However the exponential speed up is not really robust when compared to probabilis- 
tic algorithms. If one is willing to accept output which is not correct with absolute certainty 
then, given any e > 0, an answer correct with probability 1 — e is classically attainable using at 
most log 2 (l/e) queries. Thus, effectively, we have only a constant factor speed up, for any fixed 
permissible probability of error. 

In this section we have studied properties of functions which can be deduced exactly from T>(f) 
with a single quantum measurement. In a related work |32| . properties of functions which can be 
deduced from the standard state J2 X \ x ) ® \f( x )) w ^h a single measurement are studied . Even 
when a certain probability of failure is allowed this class of functions turns out to be very restricted. 
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4. Shor's algorithm and factoring integers 

4.1. Overview. Shor's Algorithm, first published in 1994, factors an integer N in time 
0(L 2 log(L) loglog(L)), where L = log(iV). No classical algorithm of this time complexity is 
known. The problem of factoring integers turns out to be reducible to that of finding the order 
of elements of a finite cyclic group. That is, given an order finding algorithm, an algorithm may 
be constructed which will, with high probability return a non-trivial factor of a given composite 
integer. Moreover this algorithm may be run quickly on a classical computer. We describe the 
reduction of factoring to order finding below. 

Order finding in a cyclic group is a special case of the more general problem of finding the period 
of a function which is known to be periodic. 

Definition 4.1. If f is a function from a cyclic group A (written additively) to a set S then we 
say that f is periodic, with period r G A, if the following two conditions hold. For all x £ A 

(i) fix) = f(x + r) and 
(ii) if f(x) = f(x + y) thenr\y. 

Given a periodic function from Z to Z^r the best known classical algorithm to determine r re- 
quires O(N) steps. By contrast, using Shor's algorithm, |53] |54) . on a quantum computer only 
0((logiV) 2 ) steps are required. 

As shown by Kitaev |38j . the essential element of Shor's algorithm is the use of the Quantum 
Fourier transform to find an eigenvalue of a unitary transformation. This technique was first used 
in this way by Simon |55| [56] to generalise Deutsch's algorithm. Deutsch's algorithm, Simon's 
generalisation and the problems of period finding can all be regarded as cases of a problem known 
as the hidden subgroup problem. We shall describe this problem and various other applications of 
the Fourier transform in 14.91 Here we first outline the reduction of factoring of integers to order 
finding, in Section POl We then describe the essential ingredient to Shor's algorithm, namely the 
Quantum Fourier transform and in Sectional! The algorithm itself is described in Section f4.5l and 
we end the section with a brief description of the implementation of the Quantum Fourier transform 
and an outline of the continued fractions algorithm which is necessary to extract information from 
the quantum part of the main algorithm. 

4.2. Factoring and period finding. It is well known that the ability to find the period of 
functions effectively would lead to an efficient algorithm for factoring integers. In order to see this 
suppose we wish to factor the integer N. We may clearly assume that N is odd and, since there 
exist effective probabilistic tests for prime powers 4Q], that N is divisible by more than one odd 
prime. Consider the function Fjy : Zjy — > Zjv given by 

F N {a) = y a mod N, 

where y is a randomly chosen integer in the range ^ y < N. Using the Euclidean algorithm on 
y and N we either find a factor of N or we find that y is coprime to N. We may therefore assume 
that gcd(y, N) = 1. If y and N may both be represented as strings of at most L bits then the total 
resource required by this step is 0(L 3 ) since this is a bound on the cost of running the Euclidean 
algorithm [401 p. 13]. With gcd(y,N) = 1 the function Fn takes distinct values 1, y, . . . ,y r ~ 1 , 
where r is the (unknown to us) multiplicative order of y modulo N. Thus F is periodic of period 
r. Suppose now that we have computed the multiplicative order r of y modulo N, using our 
hypothetical period finding algorithm on F/v. Since N\y r — 1 the Euclidean algorithm applied to 
N and y r — 1 merely returns the factor N of N. On the other hand, if r is even then 

l = y r = (y r/2 -l)(y r/2 + l) mod N. 

As r is minimal with the property that y r = 1 mod N it follows that N \ y r l 2 — 1, from which 
we see that N and y r / 2 + 1 have a common factor greater than 1. We now run the Euclidean 
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algorithm with input N and y r l 2 + 1. If N \ y r l 2 + 1 then we obtain a non-trivial factor of N, 
again in time at most 0(L 3 ). This step succeeds if and only if we happen to choose y such that y 
has even order, r, and in addition TV j y T l 2 + 1. What is the probability of success? Following |16j 
we count the number of integers y which result in failure. We have 1 < y < N and gcd(y, N) = 1, 
so that y £ Z* N the group of units of Zjy, and r is the order of y in this group. Note that the 
order of Z* N is </>(N), where is Euler's totient function: that is, </>(N) is the number of integers 
between 1 and N which are coprime to N (see |40l p. 19] for example). The notation of the 
following lemma is ambiguous, as |x| denotes the order of a group element x and \X\ denotes the 
cardinality of a set X, but the meaning should be clear from the context. 

Lemma 4.2 ( |16| ). Let N — p^ 1 • • -p^ he the collected prime factorisation of an odd composite 
integer N and let 

S = {s e Z* N : \s\ is odd or s |s|/2 = -1}. 

Then \S\ < cj)(N)/2 m . 

Proof. For n <E Z define l{n) to be the greatest integer d such that 2 d \n. 

Consider first the group Z* Q , where p is an odd prime and a a positive integer. This group is 
cyclic of even order <f> = 4>(p a ) — p a ~ l {p — 1) with generator x, say. Every element of Z* Q is of the 
form x k , for some k > 0, and for exactly half the elements k is even. Let g = x k be an element of 
Z* a and suppose the order of g is r. If k is even then 

gf' 2 = x^ 2 = (x^ 2 = 1, 

so r\4>/2 and it follows that l(r) < l(4>). Conversely if k is odd then 1 = g r = x kr so 4>\rk and, 
since 4> is even, this implies l(4>) < l(r). Therefore precisely half of the elements g of Z*„ satisfy 
l(\g\)<m. 

Now consider y G Z* N . The Chinese remainder theorem 28 states that Z* N is isomorphic to 
©i=i ^p a i under the map taking y to (yi,..., y m ), where y = yi € Z* Qi , for i = 1, . . . , m. Let y 
have order r in 7/ N and let y^ have order r» in Z* Qi . Applying the above isomorphism we see that 
Ti\r so l{ri) < l(r). First suppose that r is odd. Then Z(r) = so = 0, for i = 1, . . . , m. Now 
suppose that r is even but that y r l 2 = — 1 in Z^. Using the Chinese remainder theorem again it 
follows that y r J 2 = — 1 in Z* aj and so r, fr/2. Hence i(rj) = Z(r), for i — 1, . . . m. We have shown 
that if y e 5 then Z(rj) = Z(r), for i = 1, . . . , m. To complete the proof we need only show that 
this is possible for at most </>(jV)/2 m_1 elements of Z* N . 

Fix 7/1 e Z* Q1 and let ri = \yi\. From the first paragraph of the proof it follows that there are at 

Pi 

most 

i=2 

elements (?/2, • ■ ■ , J/m) of ©^L 2 such that Z(j*i) = Z(|2/i|), for i = 2, . . . = m. Summing over all 

elements of Z* a , , there are at most 
Pi 

w i )n^f^=w/2 m - 1 

elements (y 1 ,...,y m ) of 0™ : Z*«, with = • • • = l(\y m \)- □ 

Now let y be an integer chosen uniformly at random from 

{yeZ: l<y<N-l and gcd(y, N) = 1}. 

Then from Lemma f4. 21 the probability that y has even order in 7L* N and y\ y \l 2 ^ —1 mod N is at 
least 1 — 1/2™ 1-1 . The resource cost of the procedure is 0(L 3 ), in addition to the cost of the order 
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finding routine, and repeating it sufficiently often we can find a factor of N, with probability as 
close to 1 as we like. Shor's quantum algorithm, described below, finds the order of y € 1* N , with 
probability 1 — e, for given e > 0, in time polynomial in L. Hence combining Shor's algorithm with 
the above we have a probabilistic algorithm for factoring integers which runs in time polynomial 
in L = log(JV). 



4.3. The quantum Fourier transform. The Quantum Fourier Transform is more com- 
monly known (to mathematicians) as the Discrete Fourier Transform. That is a Fourier transform 
on a discrete group: which is defined using characters of irreducible representations. Since we'll 
be mainly concerned with Abelian groups we need to know very little about characters, and we 
summarise what is necessary here (for more detail see |31) or 22 ). 

A character of a finite Abelian group G over a field k is a homomorphism from G to the mul- 
tiplicative group k* of non-zero elements of k. (More generally a character is the trace of a 
representation.) We shall only consider characters over C here. The set of characters of G is 
denoted G. Since G is finite, characters must be roots of unity. In particular the characters of the 
finite cyclic group Z m are the homomorphisms Xm = X c defined by 

x c (a) = e 2 ™<W™ where a e Zm> 

for c = 0, . . . , m — 1. It's easy to verify that the map x '■ — > 2 m defined by x( a ) — X a 1S an 
isomorphism from Z m to Z m . (This result extends to all finite Abelian groups.) 

We shall use the following simple property of characters of cyclic groups. 

Lemma 4.3. The characters ofZ m satisfy 
ft) 

c , , J m if c = mod m 



(4-1) E X c («) 

a=0 

(ii) (Orthogonality of characters) 

rn—l 



if c =/= mod m 



(4.2) ^ X c (a)x d (a) = 



m if c = d mod m 
if c ^ d mod m 



Proof. 

(i) This is easy to see if c = 0. If c ^ then x c (l) — e 27rlc / m so x c (l) ^ 1 an d is a root of the 
polynomial z m - 1 = (z - l)(z m_1 H hi). The result follows, since [x c (l)] fc = X°(k)- 

(ii) This follows easily from (|4.1(l . given the observations that x c ( x ) = X c ( — x )> X c (^ x ) = X~ c ( x ) 
and X c i x )x d ( x ) = X° +d ( x )- 

□ 



For a finite group G the \G\ -dimensional complex vector space 

CG = 0C|.g) 

yea 

is a ring called the complex group algebra, with multiplication defined by 

(E a (-9)l.9>) (E 6 ^)) =E C (2)IS>> 

where a(g) 1 b(g) £ C, for all g € G, and c{g) — ^2 xeG a(x)b(x ^g). The group algebra may also 
be regarded as the ring of maps from G to C, the map a sending g to a(g) corresponding to 
E 9 eG a (s) Iff)- ^ n element of CZ„ will be said to be periodic if it is periodic as a map from Z„ to 
C. 
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The quantum Fourier transform on Z n is a C-linear map Q = Q n from CZ„ to itself defined on 
the basis vector la;) by 



1 "- 1 

Q\x) = —Y / X c (x)\c), 



where z denotes the complex conjugate of z. Extending by linearity we obtain the image of a 
general element: 



71— 1 \ 71—1 

r) !«•;• 



\x=0 / c=0 



n-1 

__ 2-kcx 

e 



where 
(4.3) 

We have seen one instance of the Fourier transform already: the single bit Walsh-Hadamard 
transformation W is equal to Q 2 . By comparing coefficients of basis vectors it is easy to see that 
W n 7^ Q n , for n > 2, although it is true that W n |0) = Q n |0), for all n. 

To see that the quantum Fourier transform is a unitary transformation consider its matrix Q, 
relative to the basis |ar), x G Z„, for CZ n . We have Q — (a CjX ), where the row c, column x entry is 

1 



a c x = —=x c (x), < c, x < n - 1. 
Therefore the conjugate transpose of Q is = (b c<x ), where 

b c,x = -^x x (c), 

and a straightforward computation using l|4.2|l shows that QQ^ = I. This shows that Q is a 
unitary transformation and allows us to write down the image of its inverse, the inverse Fourier 
transform Q _1 on a basis vector \x). That is 

n-1 



Q- 1 \x) = ±=Y,X C ( x )\ c . 

V ^— n 



In Section 14.71 we shall show how the Fourier transform may be implemented using standard 
quantum gates. 

A crucial property of the quantum Fourier transform is that it identifies periods. That is, if / is 
periodic, with period r, and r divides n then Q(f) has non-zero coefficients only at basis vectors 
\c) which are multiples of n/r. 

Lemma 4.4. Let f £ CZ ra and suppose that f is periodic of period r, where r\n. Then 



(4.4) 




r-l 

n 



E /( s )Xn( s )i if c = mod n/r 
otherwise 



r 

s=0 
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Proof. 



n— 1 

/(c) = ^Y1 

= -?sJ2J2 f(a + sr )x c (a 



, r-1 T _1 

-7= XI /(«)x c (a) X c (sr)- 
V 71 „_ n —n 



a=0 s=0 

The result follows on applying Lemma 14.31 modulo n/r. □ 

4.4. Period finding for beginners, ft is instructive to look first at a restricted case of 
the period finding algorithm. Assume that we have a function / : Z — * Zjv which is periodic of 
period r, as in Definition 14. f I fn the restricted case we shall assume that iV-ary quantum bits are 
available, so a basic quantum system is an iV-dimensional vector space. Consequently we shall 
assume, for this section only, that transformations that we've previously defined using qubits are 
also defined and implemented for such N-aiy quantum bits. We shall in addition assume that r\N 
so that / induces a periodic function from Z^r to itself. Of course this is an artificial constraint, 
especially since it is r we're trying to find, but it illustrates the operation of the algorithm without 
involving the technical detail of the general case. 

We begin with two registers, of one 7V-ary quantum bit each, in initial state |0) |0). To the first 
register we apply the Walsh-Hadamard transform to obtain the state 

1 N ^ 

-7= y \ x ) i°) ■ 

As in previous sections, we assume that a U /-gate which evaluates / is available. We now apply 
this to our state to obtain the superposition 

N-l 



N x=0 

At this point we could apply the quantum Fourier transform to the first register of the state. 
However it simplifies notation and makes no difference to the outcome if we observe the second 
register first (see Exanxple l4.5l below'). So, we now observe the second register and obtain, uniformly 
at random, some value yo in the image of /. The system then projects to the state 

V\f Hvo)] xef - 1{yo) 

Since / is periodic in the sense of Definition 14. fl there is precisely one value Xq with < Xo < r 
such that f(xo) = yo- If we set K = N/r then, in the first register, we have the state 

f K ^ 



K k=0 



N-l 



H x ) \ x ) , 



where 



x=0 

' r 




if r\x — xq 
otherwise 
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T-2 



|2) 



\x) 



Figure 13. Collapsing to a periodic state 



Thus %/} £ CZjv is periodic with period r. For example, for the function drawn in Figure lTSI where 
N = 8 and r = 4, we have observed \2) in the second register and this has set the value xo to 
1. Notice that, since yo is a random element of the image of /, observation of the first register 
at this stage returns a value xq + kr, for some uniformly random k £ {0, . . . , N/r — 1}. That is, 
observation of the periodic state \ip) will simply give a uniformly random value in {0, . . . , N — 1} 
and yields no information on the value of r at all! 

Now, if we apply Q to the first register then, using Lemma 14.41 we obtain 

2V-1 



Q |V) = ]T V>(c) |c> , 



c=0 



where 



V>(c) 



— £>00x c (s), ifc = modf 



0, 



otherwise 



--^X c (zo), ifc = modf 

[ 0, otherwise 
since tp(xo) = \ j\[K and ip(s) — for all s ^ xq. Therefore, setting c(s) = sN/r, 




Now we observe this state. We obtain a value c = c(s) which is a multiple of N/r. In fact, for a 
uniformly random s £ {0, . . . ,r — 1} we have 

TV c _ s 

r N r 

where the fraction c/N is known. If we reduce c/N down to lowest terms (using the Euclidean 
algorithm) then we may determine r, as the denominator of this irreducible fraction, provided 
that gcd(s,r) = 1. If s and r are not coprime then we will obtain a proper factor of r and not r 
itself. To see that this is not really a problem, we appeal to a result from number theory (see |28| 
for example): 
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where 7 is a constant known as Euler's constant. This means that if we choose a random number 
from {0, . . . , n — 1} then the probability p(n) that it is coprime to n satisfies 

(4.6) „(„) = M > 



log e log e n 

So we obtain a number coprime to N with probability 1 — e, where e > can be made arbitrarily 
small, by repeating the above observation 0(log e log e N) times. 

In summary, at each iteration the process outputs a number c. A value r may then be read off 
from the equality c/N = s/r, where gcd(r, s) = 1. Repeating the process sufficiently many times 
we may compute the period of /, to within a given probability, as the least common multiple of 
the non-zero r values. 

Example 4.5. Suppose we wish to factorise 21. We begin by choosing an integer coprime to 21, 
say 4, as described in Section l4~2l The function / : Z21 — > Z21 is given by f(k) = 4 fc and has 
period r, which we wish to find. After applying W21 and Uf we have the state 

' [(| ) + |3) + |6) + |9) + |12) + |15) + |18))|1) 



21 

(|1) + |4) + |7) + |10) + |13) + |16) + |19))|4) 
(|2) + |5) + |8) + |11) + |14) + |17) + |20))|16)]. 



Observing the second register we obtain, with probability 1/3, one of 1, 4 or 16. The first register 
then contains |^>o)j IV'i) or I ^2), where \ip s ) = J2k=o I s + 3fc) 

Applying Q21 to these states we have 



C|lto> = ;^(|0> + |7> + |14» or 
Q|^) = -^(|0)+c|7)+c 2 |14)) 
Q\^ 2 ) = -^m+u 2 \7)+u\lA)), 



where lu = e ~ 27 ™/ 3 . Whichever of these we have, observation now yields, with equal probabilities, 
c = 0, c = 7 or c = 14. If we observe c = then the process must be run again. If we observe 
c = 7 then c/N = 7/21 = 1/3 and the denominator of this fraction is r. Similarly, if c = 14 we 
read r off from c/N = 14/21 = 2/3. (Of course the example has been set up in the knowledge 
that the order of 4 divides 21, merely for purposes of illustration. We should not be misled to the 
conclusion that the example generalises to a simple method for factoring integers.) 

Notice that if we had omitted the observation of the second register before application of Q then, 
applying Q would have resulted in the state 

|[(|0> + \7) + |14)) |1) + (|0) + u \7) + ^ |14» |4) + (|0) + u? |7) + w |14)) |16)] 
and observation would have given the same result as before. 

4.5. Advanced period finding. There are two immediate problems to be overcome in 
implementation of the algorithm in general. First of all we have defined quantum computation in 
terms of qubits, not N-axy bits. In this setting we need at least L = [log(A)] qubits to represent 
N as an binary integer. This means that we shall have to run the algorithm using the quantum 
Fourier transform Q q for some q which is not equal to N. Secondly, we cannot assume that the 
period r divides q (or N). If q/r is not an integer then a periodic function / : Z — > TLjq of period 
r does not induce a well-defined function from Z 9 to Zjy. 
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Figure 14. Exact and non-exact cases for the quantum Fourier transform 



Suppose then that we have a periodic function / : Z — * Z^v of period r, as before, but now we 
do not assume r\N. To address the first problem above we choose q = 2" > N, for some integer 
n. We shall see below that the success of the algorithm depends on making a good choice for 
q. Recall that we identify ao <S> ■ • • <£> a n -i G Zf 1 ™ with a binary integer via the map b such that 
b(ao <S> • • • <S> On-i) = 2 n_1 ao + • • • o n -i- We use the composite fob: Zf™ — > Z^ to simulate 
/. Replacing / by this function observe that it satisfies the conditions that, for all x such that 
< x < q — r, 



(i) f(x) = f(x + r) and 

(ii) f(x + y) = f(x) implies r\y, HQ <y < q — r ~ x. 

We shall also use the map b to identify Zf 1 ™ with the set {0, . . . , q— 1}, which we regard as Z g . In 
particular this identification allows us to apply the Fourier transform Q q to Z®"- 

We can set up our algorithm, along the lines of Section l4~4l starting with two registers, the first of 
n qubits and the second of L qubits in initial state |0) |0). As before we apply Walsh-Hadamard 
W n and a Uj gate to obtain the state 



(4.7) 



9-1 



!/(*)>• 



However, if q/r is not an integer then after applying the quantum Fourier transform Q q to the 
first register of l|4.7() there may be non-zero coefficients ip(c) at values of c which are not multiples 
of q/r. Nevertheless it turns out that the non-zero coefficients are clustered around points close 
to multiples of q/r (see Figure IT4"j) . This means that, if a good choice of q is made, there is a high 
probability of an observation returning a value close enough to one of these multiples to allow the 
use of a classical algorithm, based on properties of continued fractions, to yield the value of r. 

First we shall state the required property of continued fractions and describe how it can be used 
to extract information from the algorithm. Then we'll complete the description of the algorithm. 

The property we need of continued fractions is the following. The necessary definitions and 
background can be found in Section |4~51 



Theorem 4.6. |2Sj Ifxe Q satisfies 



P 

x 

r 



< 



2r 2 



thenp/r is a convergent of the continued fraction expansion of x. 
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(This theorem holds for all i£l, but we do not need this here and we've only defined continued 
fractions for rational numbers.) 

To see how this helps suppose that, as in Section l4~4l we apply Q q to the first register of (|4.7|l 
and then observe to obtain a value c. If 

q esq 

-s- =q < — j , 

r q r Zr A 

for some integer s then Theorem 14.61 implies that s/r is a convergent of the continued fraction 
expansion ole/q. As c and q are known these convergents may all be calculated using the Euclidean 
algorithm. If, in addition, gcd(s,r) = 1 then the denominator of one of the convergents is r. 

Furthermore, given s with < s < r there is a unique integer c s such that —r/2 < c s r — sq < r/2 
and for such c s we have 



(4.8) 



< 



1 

Yq 



This motivates the choice of q as the unique integer q = 2 n such that N 2 < q < 2N 2 : for then, 
with s and c s as above, 



(4.9) 

since r < N. 



1 1 1 

" Yq < Yn 2 < Y 2 ' 



s 


a 


< 


s 


c 




c 


a 


r 


b 


r 


q 


+ 


q 


' b 



Given this choice of q, if we observe c s for s such that gcd(r, s) = 1, then we can compute the 
convergents of the continued fraction expansion of c s /q using the continued fraction algorithm, 
as described in Section |4~51 From Theorem 14.61 and (|4.9I) . s/r is among these convergents. It is 
a further consequence of our choice of q that s/r is the unique convergent of c s /q satisfying the 
inequality Ij4.8|l . To see this suppose that a and b are positive integers with b < N such that a/b 
also satisfies (|4.8|l . Then 

1 

< -. 

q q b q 

This implies that \sb — ar\ < rb/q and as iV 2 > q it follows that \sb — ar\ < 1 so that s/r = a/b. 
Therefore, as claimed, s/r is the unique convergent satisfying (|4.8() . This being the case we can 
use l|4.8|l to find s/r amongst the convergents of c s /q and this allows us to compute r. The time 
taken to do this, once c s has been observed, is therfore 0(L 3 ). Therefore we shall need to know 
the probability of observing c s , for s such that gcd(r, s) = 1. 

To start with we observe the second register of (|4.7|) and obtain some value b S 1>n- As before, 
there is a such that f(a) = b and < a < r, and so / _1 (&) = {a + kr : < k < K a }, where K a is 
the greatest integer such that (K a — l)r + a < q. In the first register we now have 

j Ka-l 

w = -jw \ a + kr ) 

9-1 

= ^2^j(x) \x) , 



where 



1 



, if r\x — a 



0, otherwise 
We now apply Q to the first register and obtain 

9-1 

(4.10) Q\^)=^(c)\c), 

c=0 
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where, using (|4.3[) and an arguement similar to that of the proof of Lemma 14.41 

K a -i 

(4.11) 



-2iric(a+kr) / q 



k=0 



We now observe the first register and use the following estimate, which we prove in Section |4~B1 
following [TBJ and p9] 

Proposition 4.7. The probability of observing (|4.10() and obtaining a value c s such that 

Si - £ < _L 

q r 2r 2 



and gcd(s, r) — 1 is at least 



40(r) 



In particular, if N > 158 and r > 19 i/iew this probability is at least l/101og e log e (7V). 



Summary: the period finding algorithm 

Given a function / : Z — > Zjy which is periodic of period r perform the following steps. 

(1) First check whether / has period r < 19. The number of operations this requires depends on 
/. For example if / is modular exponentiation, as in Shor's algorithm, then then this step 
requires 0(log 3 (N)) operataions. 

(2) Compute L = |T.og(iV)"| and set q = 2", where 21og(JV) < n < 21og(iV) + 1. This may be 
done using a classical algorithm in 0{L) operations. 

(3) Prepare first and second registers Q and R of n and L qubits, respectively, in state |0) |0) £ 
Q®R. 

(4) Apply W n <g> II to the state of (|3j) . The Walsh-Hadamard transformation W n may be imple- 
mented using n single qubit Walsh-Hadamard gates so the number of operations required in 
this step is 0(n) = O(L). 

(5) In this step we assume the existence of a unitary transformation U / from Q £g> R to itself, 
which maps basis vector \x) \y) to \x) \ f{x) © y). Apply Uf to the output of (J3J to give 14.71) . 
The complexity of this step is dependent on /. For example if / is modular exponention then 
Uf may be implemented using 0(L 3 ) operations. 

(6) Observe the second register of (14.71) and project to a state \ip) \b), where £ Q and b £ Zjv- 

(7) Apply Q q (g) II to \b) to obtain (|4.1U|) in the first register (and \b) in the second). We show 
m Section IO that Q q may be implemented in 0(n 2 ) — 0(L 2 ) operations. 

(8) Observe the state of © and obtain a basis vector \c) \b). 

(9) Use the continued fraction algorithm (see Section f4.8|) to find the convergents of c/q and 
output a candidate r' for the period of /. This requires 0(L 3 ) operations. 



Modulo the complexity of / the above procedure requires 0(L 3 ) operations. ^From Proposition 
14.71 the final step is succesful with probability 1/10 log e \og e (N). Hence we repeat the algorithm 
O (log log (N)) — 0(log(L)) times and compute the least common multiple I of the non-zero 
values r' output in the last step. Then with high probability, I — r, the period of /. Hence we 
have computed r in 0(L 3 log(L)) operations, subject to the time required to compute / and the 
probability of error. In the case of Shor's algorithm, where / is exponentiation modulo N, it follows 
that we can perform quantum modular exponentiation in time 0(L 3 log(L)), where L = log(iV). 
As the reduction of factoring to period finding described in Section |4~2"1 reci uires 0(L 3 ) operations 
we have a quantum algorithm for factoring an integer N in time 0(L 3 log(L)). In fact this bound 
is not tight and, by using faster algorithms for integer arithmetic, Shor |54j obtains the bound of 
0(L 2 log(L) loglog(L)) mentioned at the begining of this section. 
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4.6. Probability estimates. We shall need the following result from |51| . 
Theorem 4.8. For r > 3, 

— r-r < e 7 log e log e (r) 



2.50637 



log e log e (r)' 

where 7 = lim„^ 00 (l + 5 + ^ + + — l°ge( n )) = 0.57721556649 ... is Euler's constant. 

Recall from Section ^3] that / is a periodic function from Z 9 to Z^v of period r, that L, n, N,r,q G 
Z, with 1 < r < iV, 9 = 2", TV 2 < q < N and L = log [AT] . We have a 2 register quantum system 
with first and second registers of n and L qubits, respectively. The first register is in the state 
given by 14.10fl and the second in state \b), where b = f(a). In addition K a is the largest integer 
such that (K a — l)r + a < q. In the special case of Section l4~4l we measured (|4.5ll and, with high 
probability, observed c such that cr — Ns = 0, for some s with gcd(r, s) = 1. In the general case 
we shall show that when we measure ()4.10JI there is a high probability of observing c such that 
— r/2 < cr — sq < r/2, for some integer s such that gcd(r, s) = 1. This will be enough to allow us 
to compute r. 

Proof of Proposition 14.71 Recall that, given s e Z, we write c s for the unique integer 
such that —r/2 < c s r — sq < r/2. Simple calculations show that < c s < q if and only if 
< s < r and also that if c s = ct then s — t. Hence the integers cq, . . . , c r -i are distinct and lie 
in [0,g). 



For each s with < s < r write e s 

The conditions on K a imply that 
(4.12) 



sq and define 
27re., 



Q Q 

- - 1< K a < - + 1. 

r r 



Therefore, for s such that < e s < r/2 and for k such that < k < K a , we have 

, „ 7rfcr 

< k6 s < < 7T. 

q 

Hence, for such s, the points e~ tkBs lie in the lower half-plane, for k = Q, . . . , K a — 1 (see Figure 
I15|l . Similarly, for s such that —r/2 < e s < the points e~ lk0s lie in the upper half-plane, for 




Figure 15. The points e 3 , for s such that < e s < r/2. 



k = 0,...,K a -l. 

It follows (see Figure ITd^I that for all s such that < s < 



(4.13) 



K a -1 

£« 

fc=0 



> 



ifo-1 



k=0 



This is known as constructive interference. 
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Figure 16. Different rates of constructive interference 



We shall denote by pi(c) the probability that c is observed when the first register is measured 
with respect to the computational basis. The state H4.10[l has coefficients given by (j4.11|) so 



(4.14) 



Since 



1 
1 
1 



K a -1 



k=0 



E_27 L1 c(k, 
e 

A' a -1 

fc=0 

e . 



e ' > e « 

fc=0 

A a -1 2 



—2iric s r —2m(sq + £ s ) 



-2iris - 



2nie s 



<l 



we have 
(4.15) 
for < s < r. 

Combining (|4.13[) . (|4.14|) and I4.15|l we have 



e (-2iric s r)/q _ e (2-Kie s )/q _ & -ie s k 



Pi(c) > 



1 

1 



■Jfa-1 

£ • 

fe=0 



-(iTrrk) / q 



f e -(i-Kr)/q\ K ° _ i 



,-(iirr)/q _ I 



(4.16) 



sin 2 (irrK a /2q) 
K a qsin 2 {-Kr/2q) ' 

using the identity \e lx — l| 2 = 4 sin 2 (x/2), for iel. 

^From l|4.12|l we have 



so 

(4.17) 



< - 1 



sin 



r \ K„ nr tt 



<l 



< 



2g 



< 1 



< 7T, 



>sin(£ (l + (-l) rf (I 
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for d = 1 or for d = — 1. As r/g is small we have (using a Taylor series expansion) 

2 



2 / 7T / . r \ \ . _ /7rr 



and 

(4.19) sin(7rr/2q) < 7rr/2<7. 

Combining l|4.16[) . (|4. 17|) . I|4.18|l and (|4.19|) we see that the probability of observing c s , for some 
s such that < s < r, is 

/ / \ 2 \/o\2 

q I ( irr \ \ I A 



K a \ l \2q 



rq / / nr \ \ I 2 



r + 9 I ^2? 



4 / / 7rr 



(4- 2 °) > 351 1 - 



2q 



As discussed in Section f4.4l the probability that s S {0, ...,r— 1} is coprime to r is cf>(r)/r. 
Together with (|4.9|l and l|4.20|l this yields the first statement of the proposition. 

For the final statement we note that if N > 158 then 

4 / /7rr\ 2 \ 2 



Since there are r distinct integers, Co, . . . , c r _i this implies that pi(c s ) > 2/5. From Theorem 
it follows that if r > 19 then 

6(r) 1 1 
> ; > 



r 41og e log e (r) 4 log e log e ( AT) 
and the final statement of the proposition follows. □ 



4.7. Efficient implementation of the quantum Fourier transform. As in the case of 
the Deutsch-Jozsa algorithm it is the complexity of Shor's algorithm which is of interest. Shor 
showed that his algorithm could be implemented efficiently using small quantum circuits because 
this is also true of the quantum Fourier transform on . In fact this implementation of the 
quantum Fourier transform is essentially an adaptation of the standard fast Fourier transform 
technology to quantum computation. Here we'll show that it is possible to implement the quantum 
Fourier transform on Z„ using at most n 2 2-qubit gates. 

If U is a single qubit quantum gate, then we define the controlled U -gate, a unitary transformation 
of a 2-qubit system, by 

|0) (0|«/+|1) (1\<E)U. 

If the first qubit is |1) then U is applied to the second qubit. If it is |0) then the identity / is 
applied to the second qubit. The controlled [/-gate is depicted in a quantum circuit diagram in 
Figure El 

Let Rfj, be the unitary transformation (called a phase shift) on a single qubit given by the matrix 
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» 




u 









Figure 17. A controlled [/-gate 

Let -Bfc (k £ N) denote R v j 2 k. Now consider the 4-qubit circuit in Figure ITS1 which is constructed 
using controlled .B^ -gates. We claim that this performs the quantum Fourier transform on Z 2 4. 
The first Walsh-Hadamard gate applies W (g> J® 3 to ^3^2^:1 kg) and results in 



l* 3 ) 
1*2) 

l*b) 



W 



Bo 



B, 



phase 1 



w 



• — » 



Bx 



Bo 



phase 2 



w 



Bx 



phase 3 



W 



phase 4 



\b 2 ) 

\h) 
\bo) 



Figure 18. A quantum circuit for the 4-qubit quantum Fourier transform 



nr ri»3l. , , 1 \ ( -^(l°) + l 1 ))®lfefclfco) iffc 3 = 
I 7f - I 1 )) ® |«2«l«o) if «3 = 1 



This can be written as 



-^(]0> + e— **» |1» ® Jfcafcifcd). 



The map corresponding to the first controllcd-£?i gate is 

|0> (0|®7® 3 + |1) (l\®R w/2 S 
After passing through this gate the quantum state becomes 
J (|OOfcifco) + e-^llOfcifco)) 



if = 



^ ^ (|01feifeo> +e-« ifc8 |l) <8>e-™/ 2 |l)(g)|/ci/co» if = 1 
which can be written as 

-^=(|0)+ e -"( fe +*)|l))®|fefc 1 fco). 
Using similar calculations, after phase 1 the state becomes 

_L (jo) + e -«(*3+¥+^+^) |i)) ® ifejfeijfeo). 

That is, we have 

|fc) 1 ^ -j= (|0) + e" 2 ^ |1)) ® Ifefcifco), 
where |fc) = | fcsfc2 ^i ^o) 7 an d we can further rewrite the right hand side as 
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Similarly, after phase 2 we obtain 

1 1 1 
-= 2^ 2^ e i6 \bohfako) 

' b =0 6i=0 

and after phase 4 the state becomes 

_,iiii 

1 V—* V"^ 2 J .(b +2i, 1 +4b 2 +8b 3 ) 

TP L L L L e 16 MiW- 

V/ h =0bi=0b 2 =0& 3 =0 

Swapping qubits 3 «-> and 1 <-> 2, and setting |6) = |&3&2&i^o) ^ gives 

, 2 4 -l 

1 x — ^ g7rjfeb , , , , 

VZ 6=0 

the quantum Fourier transform on Z 2 4 applied to \k) € Z 2 4. This generalises in a straightforward 
manner to give the quantum Fourier transform of Z 2 n , for arbitrary n. Note that all the gates used 
are 2-qubit gates. In the general case the number of gates used is (n + l)n/2 < n 2 , as claimed. 



4.8. The continued fractions algorithm. A (finite) continued fraction is an expression of 
the form 

1 

a 



a i 



where ao £ Z, a,- 6 N, for each i > 0, and n > 0. This finite continued fraction is denoted 
[ao, . . . ,a n ] and clearly represents a unique rational number. Conversely, using the Euclidean 
algorithm, it can be seen that a positive rational number can be expressed uniquely as a finite 
continued fraction [ao, . . . ,a n ], with a n > 1 (see |28| or |40]V 

Example 4.9. As 



125 = 


3 


37 


■f 14 


37 = 


2 


14 


+ 9 


14 = 


1 


9 + 


5 


9 = 


1 


5 + 


4 


5 = 


1 


4 + 


1 



we have 



125 
~37~ 



„ 37 14 

3 1 

37 37 

3+^ 

14 



9 14 
z ' 14 



_9_ 

14 



1 



1+T 



and so the continued fraction representing 125/37 is [3, 2, 1, 1, 1, 4]. 
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The j th convergent of the continued fraction [oq, . . . , a n ] is the expression [oo, • • • , aA = Pj/qj, say. 
Continuing the above example the convergents of 125/37 are [3] = 3, [3, 2] = 7/2, [3, 2, 1] = 10/3, 
[3, 2, 1, 1] = 17/5, [3, 2, 1, 1, 1] = 27/8, and 125/37. Clearly we may compute the convergents of 
a given rational number using the Euclidean algorithm as in the above example and this allows 
us to make use of Theorem 14.61 in Shor's algorithm. The complexity of this algorithm, known as 
the continued fraction algorithm is the same as that of the Euclidean algorithm: that is 0(L 3 ) 
operations are required to compute the continued fraction ofp/q, where L — max{log(p), log(g)}. 

4.9. The hidden subgroup problem. The problems of factoring integers and finding the 
period of functions may both be regarded as instances of the "hidden subgroup problem" which 
we discuss in this section. 

Let G be a group and X a set and let / : G — > X be a function. Assume that there is a subgroup 
K <G such that 

(i) / restricted to gK is constant, for all jcG, and 

(ii) if gK ^hK then f(g) ^ f(h). 

Then we say that / is a hidden subgroup function which hides the subgroup K and that K is 
the hidden subgroup of /. The hidden subgroup problem is to find the hidden subgroup of a given 
hidden subgroup function. That is, to solve the problem we must find a generating set for K. (In 
some weaker versions of the problem it is only required that random elements of K are found.) We 
are concerned here with the complexity of this problem and, in particular, whether or not it can be 
solved more quickly using quantum rather than classical techniques. We shall say that the hidden 
subgroup problem can be solved efficiently if there is an algorithm which outputs generators of 
K in time bounded by some polynomial in log|G|. This is a simplification, as in practice it is 
necessary to consider how G is encoded and the effect of this encoding on the complexity of the 
problem. However for the purposes of the present brief discussion it is enough to assume that our 
quantum system has access to elements of G in some appropriate form. 

First of all we point out that the hidden subgroup problem has a number of intrinsically interesting 
special cases. For example, a periodic function / with period r, in the sense of Section |4~T1 on a 
cyclic group C = (x), hides the subgroup (x r ). Therefore, period finding, and hence factoring of 
integers are, as claimed, particular cases of this problem. 

Another problem which may be described in this way is that of finding discrete logarithms. Given 
a cyclic group G of order n generated by an element g the discrete logarithm problem is, given 
a 6 G, to find the least positive integer r such that a — g r . To formulate this as a hidden 
subgroup problem consider the function / : Z n x Z n — * Z n given by f(x,y) = g x aT y . This is 
a homomorphism with kernel the subgroup K generated by (r, 1) € Z„ x 7L n . Therefore / hides 
the subgroup K. Clearly finding the generator of K gives us r. In fact if we can obtain any 
element (s, t) <E K then we can compute r = s/t (in time 0(log 2 (n))) as long as we know that K 
is generated by an clement of the form (r, 1). The U.S. Digital Signature Algorithm is based on 
the assumption that no polynomial algorithm is known for the discrete logarithm problem |42) . 
Details of an efficient quantum algorithm for this problem may be found in |45| . 

As a third example consider a group G acting on a set X. If x € X then we may define a function 
/ : G — > X by f(g) = g ■ x, for jgG. Then / hides the stabiliser of x. 

As a further example we mention that the graph isomorphism problem may be viewed as a special 
case of the hidden subgroup problem (see [331 Section 6]). No polynomial time algorithm for the 
graph isomorphism problem is known but on the other hand it is not known to be NP-complete. (A 
problem is NP if there is a classical non-deterministic polynomial time algorithm for its solution. 
A problem is NP-complete if every problem which is NP may be reduced, efficiently, to this 
problem. See |47j for further details.) As a problem which seems likely to lie outside the class of 



."hS 



M. BATTY, S. L. BRAUNSTEIN, A. J. DUNCAN, AND S. REES 



problems classically solvable in polynomial time and which also seems unlikely to be NP-complete, 
the graph isomorphism problem is a good test case for the power of quantum computation. In its 
formulation as a hidden subgroup problem it becomes a question of finding a hidden subgroup of a 
permutation group (of degree twice the number of vertices of the graphs in question) . An efficient 
quantum algorithm for the hidden subgroup problem in permutation groups would therefore give 
rise to an efficient quantum algorithm for the graph isomorphism problem. However, at the time 
of writing, there are very few non-Abelian groups for which polynomial time quantum algorithms 
for the hidden subgroup problem have been found. 

The first quantum algorithm for a hidden subgroup problem appears to be Deutsch's algorithm, 
where the hidden subgroup of Z 2 is either trivial or the entire group. However the subject begins in 
earnest with Simon's algorithm, |55j and 56 , for a restricted case of the hidden subgroup problem 
in Z 2 ■ Simon's algorithm uses the Walsh-Hadamard transform on Z 2 to extract information from 
a quantum state, but the hidden subgroup here must have order 2. Shor |53| realised that it was 
possible to implement the quantum Fourier transform for Z 2 n and used it instead of the Walsh- 
Hadamard transform to generalise Simon's algorithm. This resulted in the factorisation algorithm 
described above. Subsequently methods for implementing and applying the quantum Fourier 
transform to a wider class of Abelian groups were developed by a number of people including 
Shor 54), Cleve Coppersmith |13| and Deutsch. Kitaev implemented the quantum Fourier 
transform 3£S] for arbitrary finitely generated Abelian groups and used it to construct his phase 
estimation algorithm which finds eigenvalues of unitary transformations. More precisely, Kitaev's 
phase estimation algorithm, given a unitary transformation and one of its eigenvectors will 
return a value </>, where e 27 ™^ is the eigenvalue corresponding to \u) (see for example |45j ). Kitaev 
used the phase estimation algorithm to solve the problem of finding stabilisers, as described above, 
where G is a finitely generated Abelian group, and showed how this gives rise to efficient algorithms 
for factoring integers and for the discrete logarithm problem. Mosca and Ekert |44| have shown 
that the phase estimation algorithm can be used to solve the general hidden subgroup problem in 
finitely generated Abelian subgroups. 

Moving away from Abelian groups Ettinger and Hoyer construct an algorithm which solves the 
hidden subgroup problem in the finite dihedral group G, using at most a polynomial (in log|G|) 
number of calls to the unitary transformation Uf simulating / (as in Section 14. 4(1 . However their 
algorithm requires exponential time to interpret the output. That is, the part of the algorithm 
analagous to the continued fractions post processing in Shor's algorithm requires exponentially 
many operations. Ettinger, Hoyer and Knill |17| generalise this to show that there is a quantum 
algorithm for the hidden subgroup problem in an arbitrary finite group G which requires 0(log \ G\) 
calls to Uf. However they do not give explicit implementation of the measurements required, and 
the post processing part of the algorithm is again exponential. Piischel, Rotteler and Beth |50| . 
|52| have implemented the quantum Fourier transform for the wreath product Z 2 I Z 2 and hence 
solve the hidden subgroup problem efficiently in these groups. Hallgren, Russell and Ta-Shma |26| 
have shown that the special case of the hidden subgroup problem where if is a normal subgroup 
of a finite group G can be solved efficiently on a quantum computer. Their algorithm uses the 
Fourier transform for an arbitrary finite group to distinguish K. Ivanyos, Magniez and Santha 
|3U| generalise 52] by constructing polynomial time quantum algorithms for the hidden subgroup 
problem in specific finite groups: namely groups having small commutator subgroups and groups 
which have an elementary Abelian normal 2-subgroup of small index or with cyclic factor group. 
(Here small means of order polynomial in log \ G\.) 

Fricdl, Ivanyos, Magniez, Santha and Sen |21| complete and generalise much of the above by ex- 
tending these last results to solvable groups satisfying the following condition on their commutator 
subgroups. A finite Abelian group A is said to be smooth if it is the direct sum of an elementary 
Abelian p-group, for some prime p, with a group of order polynomial in A finite solvable 
group G is said to be smoothly solvable if the Abelian factors of its derived series are smooth 
Abelian groups. In |21j efficient quantum algorithms are constructed for the hidden subgroup 
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problem in finite solvable groups which have smoothly solvable commutator subgroups. These in- 
clude semidirect products of the form x: Z2 , where p is a prime (which reduce to finite dihedral 
groups of order 2p when k = 1) and groups of upper triangular matrices of bounded dimension 
over a finite field. In fact their work builds on quantum algorithms for solvable groups developed 
by Watrous 60 and Cheung and Mosca |10 |. 

Moore, Rockmore, Russell and Schulman |43| show that g-hedral groups Z p * 1 q have quantum 
efficiently solvable hidden subgroup problem, when q = (p — l)/g(log(p)), for some polynomial g. 
They also prove that quantum efficiency of the hidden subgroup problem is closed under taking 
certain extensions, as follows. Suppose that there is an efficient quantum algorithm for the hidden 
subgroup problem in the group H . Let G be a group with normal subgroup N such that G/N = H 
and I TV I = g (log \ H |), for some polynomial g. Then there is an efficient quantum algorithm for the 
hidden subgroup problem in G. 

Hallgren |25| considers the problem of finding the period of a periodic function / from the group 
R to a set X, where the period may be irrational. Hallgren's quantum algorithm runs in time 
polynomial in an appropriatly defined input size. This gives rise to efficient algorithms for a 
number of computational problems of algebraic number theory: the solution of Pell's equation, 
the pricipal ideal problem and determination of the class group. No efficient classical algorithms 
are known for any of these problems. (A full and self-contained exposition of Hallgren's algorithm 
and it's application to number theoretic problems may be found in |34j. ) In |41| Lomonaco and 
Kauffman consider the hidden subgroup problem in R and various other Abelian groups which are 
not finitely generated. 
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5. Grover's algorithm 



5.1. Overview. Grover's algorithm 24] operates in a quite different way to Shor's. The basic 
problem is an unstructured search: We are given an N element set X and a map P : X — > {0, 1} 
and are required to find x € X such that P(x) = 1. We call a value of x such that P(x) = 1 a 
solution to the search problem. In the first four parts of this Section we consider the algorithm 
for the case where we know that there are exactly M > 1 solutions. Then, in Section [5.51 we show 
how techniques developed by Brassard, H0yer and Tapp can be used to remove this constraint. In 
Section O we describe the algorithm and then in S ect ions 15 . 31 and 1 5 . 41 we explain why it works. 

No extra information is known about P, we merely have an oracle to evaluate P(x) for a given 
x 6 X. Classically, the best algorithm (exhaustive testing) requires N — M + 1 evaluations to 
find a solution x with certainty, since the first N — M elements tested may be non-solutions. 
Probabilistically, we would expect to find a result after N/2M evaluations. In contrast, Grover's 
quantum algorithm performs the search in time 0{^jN/M) on a quantum computer. 

The idea of the algorithm is, roughly speaking, the following. Suppose that N has size 2™ and, as 
before, we prepare the standard superposition of all possible outputs (entangled with inputs): 

2"-l 

-== y \x) ® \p(x)) . 

v x—0 

We wish to find a state |a;) <g> |1) for some x. By direct measurement at this stage, there is only a 
probability of Mf V2" of finding such a state. In the worst case when there is only one solution 
this falls to l/\/2™. The strategy is to increase the amplitude of vectors of the form \x) eg) |1) and 
decrease the amplitude of those of the form \x) ® |0), until the state approximates 

1 M 

(5.1) £1^11), 

v i—l 

where the solution set is {x±, . . . ,xm}- Measuring this altered state then gives a solution with 
high probability. 



5.2. A circuit for Grover's algorithm. Let us consider how this strategy may be carried 
out in practice. We assume, for simplicity, that N — 2™, for some positive integer n and that 
we know in advance that there are exactly M solutions, where M > 1. The algorithm uses the 
standard oracle Up for the function P which, as in Section 12 . 1 01 maps \x) Cg> \y) to \x) <S> \P(x) © y). 
Thus the quantum system underlying the algorithm consists of a first register of n qubits and 
second register, called the oracle workspace, of a single qubit. As in the description of Deutsch's 
algorithm in Section I3~3l we begin with the state |0)® n ® |1) to which is applied W n (£> W followed 
by Up. As in Section l3~31 the first register then contains 

(5.2) -^Jjl{-l) p ^\x) = V{P), 

as defined in l|3.1|l . Note that the oracle maps the state \x) ® \w) to (— l) p ( a; ) |x) ® \w), so we may 
regard the second register as unchanged and the amplitude of the first register as multiplied by 
— 1 if and only if x is a solution. 

We now need to magnify the amplitudes of the vectors |i) where a; is a solution. This is ac- 
complished using inversion about the mean which may be defined as the unitary transformation 
F = W n TW n , where T is the conditional phase shift operator given by 

T |0) = |0) and T\x) — — \x) , for all x ^ 0. 

We shall discuss inversion about the mean in more detail in Section fo.^l for the time being assuming 
that it does what we require of it: that is to increase negative amplitudes and decrease positive 
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) " 



inversion about the mean 



J l( _J ,, I I I I I I i > I L 



after 0(y / N/M) operations 



Figure 19. Operation of Grover's algorithm 



ones. With this assumption apply F to the state T>(P) of (|5.2|) (that is we apply F (g) / to our 
quantum system). As shown in Figure ITHI we then repeat the process, applying Up followed by 
F untill the amplitudes of the solutions approach 1 / \/M and the amplitudes of all other basis 
vectors approach zero, as in 1|5.1[) . We call the composite function Q = (F <g> I) o Up the Grover 
operator. The question is how do we know how many iterations of Q to allow before halting. It will 
become apparent in Section 15.41 where we answer this question, that we must choose the number 
R of iterations carefully, as the amplitudes of the solutions do not approach a steady state but 
rather oscillate, so too many iterations will be as bad as too few. As we shall see, the required 
number of iterations is 0(y/N/M). 

Grover's algorithm can be depicted using the circuit diagrams in Figures |2"UI and PHI 



n qubits 



oracle 
workspace 



0{y/N/M) copies 
Figure 20. The quantum circuit for Grover's algorithm 



5.3. Inversion about the mean. We now explain why the operation F of Section I5"T1 is 
called "inversion about the mean" and behaves as shown in Figure ^5] It is easy to verify that the 
conditional phase shift operator T satisfies 

T = 2|0)(0| - I. 

Inversion about the mean is then given by 

(5.3) F = W® n (2\0)(0\- I)W® n . 
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G 



oracle 

\x) H-> 

(-l) p M \x) 



phase shift T 
|0) » |0) 

|x) I— ► — \x) if x 7^ 



Figure 2 1 . Decomposition of the Grover operator 



If we let 



then we have 



N-l 

W® n \0) —= V 



N-l 

(1>\ = (0\W° n = -j= 1 £{x\. 

v x— 



It follows, from (|5.3|) . that 

(5.4) F = 2\^)(^\-I. 

Now consider the action of this operator on a general quantum state. We have 



Now, 



iV-1 



N-l 



fc=0 z=0 
1 

fc=0 

^E^-t^E 



JV-1 



a;=0 



iV-1 



z=0 



where 



is the average (mean) of {a;*;}. So 



JV-l 



f 2 «*!*) = E( 2A -«*)!*)• 



\fc=0 / fc=0 

Therefore F acts by reflecting the amplitudes a>k about their mean value A. 
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5.4. The Grover operator as a rotation. Suppose that there are M > 1 solutions in a 
search set of size N. Let 



1 , , „, 1 



\b) = ^= V 



The initial state of the system is 



which can be written as 



1 N ~ 1 

r= Y l*>, 



k=0 



, x , ,v N — M , v /M.,. 

(5-5) IV;> = V — TV — |a> + V TV 1 >- 

We claim that the Grover operator keeps the quantum state in the plane spanned by \a) and \b), 
i.e. that the subspace S = span{|a), \b)} of the quantum system is invariant under operation of 
Q. Since the oracle Up acts on both the first and second registers it is convenient to define an 
operator O of the first register by Up(\x) £§> \w)) = (O \x}) <g> \w) . This is possible since Up leaves 
\w) unchanged. Thus O determins the action of the oracle on the first register, given that the 
second register is in state \w). Now let G = F o O. Then the operation of Q on the first register 
is determined by G. We aim to show that S is invariant under G. 

We first consider the action of the oracle on S. We have 0\a) — \a) and 0\b) = —\b). Thus 

0(a\a) + 0\b)) = a\a) -p\b)e span{|a) , \b)}, 

so S is invariant under the action of the oracle. Geometrically, 0\g is a reflection in the line 
through the origin defined by \a) (by which we mean the set of points a \ a), for a G C). 

Next we consider the action of inversion about the mean, that is the operator F , on S. From (|5.4Jl 
we have 

F (a\a) + 0\b)) = 2a(<ip\a)\ip)+2l3(ip\b)\i>)-a\a)-l3\b). 

Since € S it follows that S is invariant under F and, with the above, this implies that S is 
invariant under G, as required. 

Moreover, it is easy to see that F\i/j) = \ifj) and that if \<j>) is orthogonal to then F\<j>) = — \4>)- 
Thus _F|5 is a reflection in the line through the origin defined by \ip). Thus G\s, being the 
composition of two reflections in lines through the origin, is a rotation about the origin of the 
plane S. To find the angle of rotation note that since 1 < M < N we have < y/ N — M/N < 1, 
so that there exists 6 G K such that < 8 < n and cos(0/2) = y/N - M /N. From 15.5|l we have 
therefore 

\i>) = cos (0 l«> + sin (|) l & >- 

Thus G\s is an anticlockwise rotation about the origin, through an angle 9, as shown in Figurel^l 
Hence 

GW=cos(^) | ) +B m^ \b) 

and in general, 

G h \^) = cos - |o) + sin \b). 



If we rotate \ip) through cos 1 ly/ M/N J radians then we obtain a state close to the desired vector 
|6). Measuring this state we will, with high probability, observe x such that P(x) = 1, that is a 
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i i \b) 




0\1>) 

Figure 22. Geometric interpretation of the Grover operator 

solution to the search problem. Thus the 
is given by 



R = 

If M < N/2 then 9/2 ^ sin (6/2) = y/M/N. Thus we obtain, in this case, 

4 V M 

as an upper bound for R. Note that if we iterate approximately k^/N/M /2 times, then we have 
rotated back almost to — \a), and the probability of obtaining a solution is much worse again. So 
determining the appropriate number of iterations is a delicate matter. In the case where M = 1 
as in Grover's original paper, the number of iterations required is approximately tt\/N~ /4. 

It can be shown that if M ^ N/2, i.e. more than half of the elements of the search set are 
solutions, then the number of iterations required increases with M\ (See |45| .) However, if we 
know in advance that M > N/2 then sampling the set X at random, and checking for a solution 
using the oracle, we'll find a solution with probability at least 1/2, with only one call to the 
oracle. Even when it is not known in advance whether or not M > N/2, by doubling the size 
of the first register and padding it with non-solutions we can assume, at very low cost, that in 
fact M < N/2 and so use the above bound R on the number of iterations required (see |45| for 
details). In conclusion the number of Grover operations Q required for a solution to be found with 
high probability is 0(y/N/M). 

We show in the next section, how we can estimate M when it is not known in advance. Also, note 
the following. 

(i) If the required probability of error is less than a given constant then the oracle in Grover's 
algorithm can also be implemented in time 0(-\fN) to search an unstructured database. (See 

(ii) The time complexity of unstructured quantum search algorithms is known to be f2(VlV) (see 

m) 

5.5. The Brassard H0yer Tapp counting algorithm. In |6], Brassard, H0yer and Tapp 
describe general conditions under which Grover's techniques may be used. They also give a 
novel method for approximating the number of values x for which a boolean function P satisfies 



number of times we should iterate the Grover operator 




6 
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P(x) = 1. Some related work, on the eigenvalue analysis of the operator described in this section, 
is also due to Mosca. A more developed version by all four authors above appears in [7j- Given 
a system in state \ip) the idea is to find a superposition of G m \ip), for all values of m in a given 
range, where ip and G are defined in Section HTH Since G is a rotation, the above state will be 
periodic in m. So as in Shor's algorithm, we may apply the quantum Fourier transform of m which 
will find the period of the above state (efficiently). ^From this we can estimate the number of 
solutions (without actually finding any!) and hence the number of rotations required for Grover's 
algorithm above to find a solution with high probability. 

Given the Grover operator G for P, define the counting operator for P to be 

C : \m) <8> |V) ^ \m) ® G m \ip) . 

Assume that the value m can take any value in {0, . . . , R = 2 r — 1} Then the quantum circuit 
in Figure will estimate the period of Co (W (S> W) |0) ® |0). The accuracy to which we can 



|0) 
|0> 



w 



w 



\m) 




\m) 




Qr 


— measure 




c 


















measure 



Figure 23. Brassard, H0yer and Tapp's counting circuit 



estimate this period depends on how large a value of R we take. More precisely, it is shown in |5] 
(theorem 5) that if t = |P _1 (1)| ^ N/2 and c is the output of this circuit, then 

|c — t\ < — VtN H xN with probability at least 



R R 2 1 J TT 2 ' 
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6. Watrous' algorithms for solvable groups 



Watrous |59 | .|60 | has recently produced some group-theoretic work in quantum computing which 
has quite a different nature to the hidden subgroup problem. In particular, he describes a Monte 
Carlo quantum algorithm which finds the order of a finite solvable group in polynomial time. 
This uses some of the techniques of Shor's algorithm, but also provides some new methods which 
depend critically on group structure. 

The group G which is input to the algorithm is given as a finite black box group (4] . This means 
that we assume the existence of some description of G as a set of binary strings of fixed length 
n. Multiplication and inversion of elements are performed, each at unit cost, by an oracle which 
knows this description. The input to the algorithm is a finite generating set for G, together with 
the oracle. 

The representation of the elements of G as binary strings gives us a natural association between 
the elements of G and a subset of the basis elements of a 2™ dimensional vector space (that is, a 
register of n qubits). The notation \g) will be used to denote the basis element associated with 
the group element g. One useful byproduct of Watrous' algorithm (and a vital step within the 
algorithm) is the computation of a uniform superposition 



in one of the registers. 

Classical Monte Carlo algorithms are already known which compute a polycyclic generating set 
for a finite solvable group in polynomial time [3]. Hence we can assume that our starting point 
for the algorithm is a generating set gi,...gk for which the subgroups Hj — (g%, . . . gj) form a 
subnormal series (that is Hj < -ffj+i, for each j). In this case, each quotient group Hj/Hj-i is 
cyclic, of order Tj (we define Hq to be the identity subgroup). The set of products of the form 



with each aj ranging from to Tj — 1, provides a normal form, and the group order is the product 
of the integers rj. The problem is reduced to finding the r-,-, as the orders of the cyclic factor 
groups. 

The algorithm works up the chain of the subgroups Hj, and so splits naturally into k steps. We 
shall describe just one such step, the j-th step, which computes rj. 

6.1. Step j of the algorithm. The j-th step of the algorithm splits into two phases. The 
first phase computes r^, as the period of the function 



using a fairly straightforward variant of Shor's algorithm. The second phase, which involves some 
rather intricate calculation, uses knowledge of the integer Tj to compute a uniform superposition 
of the elements of Hj. This superposition is then used as input for the first phase of the next 
step. We shall describe both phases below. To make the notation easier, from now on we shall 
abbreviate Tj to r, gj to g and Hj-i to H. In this case, Hj is equal to (g) H. Following Watrous 
we use the notation \H) for the superposition 




9k ■■■9i\ 




defined by the rule 





and analogously \{g) H) for the superposition over (g) H. 
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The computation takes place in a large tensor product space with a number of different registers, 
of two different types, which (like Watrous) we call R registers and A registers. The R registers 
are used to store superpositions of basis vectors indexed by the elements of G. The A registers are 
used to store superpositions of basis vectors indexed by the integers in some finite range 0, ... M— 1 
(We call the set of such integers 1>m- Note that this is a subset of Z which is not quite the same 
as the cyclic group of integers mod M.) How big M needs to be differs between the two phases. 

Recall that the quantum Fourier transform Qm acts on an A register as 

Q M :\a)^-L=Y, e" W/M |6). 
v 6ez„ 

(In fact, Watrous uses the convention which calls this the inverse transform, but for consistency 
we use the notation of the rest of this article.) Group multiplication is provided by the unitary 
transformation Ug which acts on pairs of R registers as 

U G ■ \g) ® \h) ' ^ Is) ® \gh) . 

A related unitary transformation Vq acts on a pair of registers, one an A register the other an R 
register, as 

T/J : |o) ® \h) i ^ \a) ® \g a h) 
and is a vital ingredient to the variant of Shor's algorithm. 

6.2. The first phase of step j. We shall describe this phase only briefly, aiming only to 
exhibit it as a variant of Shor's algorithm, which is described in detail in Section 0] 

Here the A register needs to cover integers in the range Zjv, where TV is 'large enough', basically 
22n+o(iogi/e) ^ w \ iere e j s ^ bound the probability of error. At the beginning of the j-th step the 
A register contains |0), and the R register contains the uniform superposition \H). 

We apply the inverse quantum Fourier transform Q^ 1 to the A register, then Vq to the pair of 
registers, then the quantum Fourier transform Qn to the A register. 



10} ® \H) 

IQT N 1 ®I 

-L V \a) ® \H) 

ivs 

-J= Y \a) ® \9 a H) 

Jf E E e- 2 ™ h ' r \b)®\g a H) 

a£Zw b£ZN 

Observing A gives some b in Z^r which is (with high probability) a good approximation for n/rj, 
for k random. 
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^From now on we follow Shor's standard procedure, as described in Section Using continued 
fractions, we can find integers u,v such that u/v = n/r, and with high probability u and v are 
coprime. We repeat this process an appropriate number of times to give the required bound on 
the probability of error, and then find r as the 1cm of the v values. 



6.3. The second phase of step j. The second phase has to extend the uniform superposi- 
tion of H in the R register to a uniform superposition of (g) H, using the knowledge of r acquired 
during the first phase. The aim of this section is to explain that computation of \(g) H) from \H). 

In fact we produce several copies of \(g) H) from several copies of \H). More precisely, we use 
to = k — j + 2 A registers and to R registers to produce m — 1 copies of | (g) H) from m copies 
of | H). At the beginning of this calculation, each of the to R registers contains the superposition 
\H). At the end, to — 1 of them contain \(g) H), and can be used in the next step, and the other 
must be discarded. 

In this phase the A register is used to store the integers in Z r . During the phase we use the inverse 
quantum Fourier transform Q~ , the transformation Vq, and Uq- 

The computation has two stages. During the first stage, we work with pairs of registers, each pair 
consisting of one A register and one R register. We do the same computation with each pair, so to 
describe this stage we need only say what happens to one such pair. At the beginning of the stage 
the A register is set to |0) and the R register to \H). First we apply the inverse quantum Fourier 
transform Q" 1 to the contents of the A register only, then we apply Vq to the pair of registers, 
and then Q~ l again to the A register. Then we observe the A register, which projects onto the 
observed value. Denote the output state of this stage by \ip). Then we have 



10} <8> \H) 



1 



\H) 



a£Z r 




\9 a H) 



b l r \b) <g> \g a H) 



I measure A 



1 



e 2«afc/r i^ajj) = |^ 



The state \ip) is almost what we want. It is precisely what we want if we struck lucky and observed 
|0) in the A register. But otherwise it contains coefficients e 2niab / r which we would like to be able 
to replace by l's. 
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What follows forms the crucial part of Watrous' argument. He shows that if we have superpositions 
|V) and \ip') in two distinct R registers, then we can operate on the pair of registers in such a way 
that afterwards |V) is set to exactly the superposition we want, and |V') is unchanged (and hence 
it can be used again to 'correct' a different \ip), in a different R register). In fact we apply the 
operator Uq to the pair of registers c times in succession for a carefully chosen value of c. The 
notation U G is used to denote the composition of Uq, with itself, c times. 

We suppose that 

M = 7^ E e2mab/r \^ H ) > M = 7^ E e w "' /r \g a 'H) . 

* a6Z r o'gZ r 

In order to calculate the effect of U G on \ip) <g> \ip'), it helps first to consider the effect on |V') alone 
of the R register operator M g a h , which is defined by the rule 

M g * h : \x) h-> \g a hx) . 

We see that 

W) = -L y eW '' /r 9 a ' H ) = -Am E eWb ' /r E k v 

i Mg* h 

-jL= J2 e 2 ™' fc > \9 ah 9 a ' h ' 

= - ? L= V e 2ma ' b ' /r V \g a+a 'h"h') , for some h" (since H < ( 5 ) if) 

= ~ 7 JL= y e W6'A y L«+«V\ (rewriting /i' for 

_ 1 p -2niab'/r e 27ri(a'+a)6'/r I o'+o^/ 



litiab' jr \ A ^2-Ki{a -\-a)b f / r I a' +a 



a'£Z r 



1 -2™6'/r ^ ^ia"b'/r ^"jA ^ fof ffl „ g ^ ffl „ = a ' + a mod r 



= e -**iat//r |^ 

Note that in going from the third last to the second last line, the equation g a +a H = g a H follows 
from the fact gH has order r in (g) H/H. Now, since U G (\g a h) <g> \h')) = \g a h) <g> M g « h \h'), 

|V) ® = 4= y e 27rMf> / r | 5 a ff) ® |V') 
i y e 27rMb/r y Is^) ® M fl a h |V') 

* a h 
= -L y e 2wia6 / r y l^a/j) e -27ria6'/r |^ 

= e - 2mah '/ r |V) ® IV) • 

Hence, provided that c6' = b mod r, 
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\4>) ® W) 
lu c G 

= \{g)H)®W). 
The first of the two R- registers thus contains the state | (g) H) . 
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